Do you frequently use credit cards? Do you conduct your banking transactions using Google Chrome? If you answered 'Yes' to any of the above questions, you should be on high alert.

Google Chrome has been infected with a new type of malware known as Emotet, which attempts to steal users' confidential credit card information.

What has been found?

On June 6th, a security firm observed the E4 botnet dropping a new Emotet module. 
  • To their suprise, it was a credit card stealer who was only targeting the Chrome browser. 
  • After collecting card information, it was exfiltrated to various C2 servers via the module loader.
  • During April, Emotet malware activity increased, and one week later, it began using Windows shortcut files (.LNK) to execute PowerShell commands on victims' devices to infect them.

What’s Emotet Malware?

The Emotet botnet is known for delivering malicious malware trojan payloads in order to steal user data, perform network scanning, and then move it to vulnerable devices.

How does Emotet Malware function?

  • The Emotet botnet is constantly trying to infect potential victims with a credit card stealer module that harvests credit card information stored in Google Chrome user profiles.
  • After stealing credit card information such as name, expiration month and year, and card numbers, the malware will send it to command-and-control (C2) servers other than the ones used by the Emotet card stealer module.

Emotet: a look into its history

Emotet was developed and deployed as a banking trojan in 2014, and later evolved into a botnet as the TA542 threat group (aka Mummy Spider) is used to deliver second-stage payloads.
  • It also enables its operators to steal user data, conduct reconnaissance on compromised networks, and move laterally to vulnerable devices.
  • Emotet is known for deploying Qbot and Trickbot malware trojan payloads on compromised computers, which are then used to deploy additional malware, such as Cobalt Strike beacons and ransomware like Ryuk and Conti.

Emotet’s rise: a worrying sign indeed

The most concerning aspect for all Chrome users is that Emotet has seen a massive increase in activity in the first quarter of 2022, increasing more than 100-fold over the last three quarters of 2021. What makes Emotet a potential threat is the hackers' direct access to credential data stored in Chrome's memory in cleartext form. It also includes cookie-related information, such as session cookies, allowing an attacker to extract and receive all of the data even if the account is protected by multifactor authentication (MFA).
Cyware Publisher