The Emotet botnet — used by criminals to distribute malware around the world — has begun attempting to steal credit card information from unsuspecting users, according to security researchers. The malware targets the popular Google Chrome browser, then sends the exfiltrated information to command-and-control servers. The resurgence of the Emotet botnet comes over a year after Europol and international law enforcement agencies shut down the botnet’s infrastructure in January 2021, and used the botnet to deliver software to remove the malware from infected computers.
Cybersecurity platform Proofpoint spotted a new Emotet module bring dropped on June 6, in the form of a credit card stealer. The malware only targets Google Chrome — one of the most widely used browers across platforms. While the module was dropped from one server, the credit card information — including card numbers and expiration dates — collected from Chrome is then uploaded to a different command-and-control (C2) server, according to the researchers.
On June 6th, Proofpoint observed a new #Emotet module being dropped by the E4 botnet. To our surprise it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected they were exfiltrated to different C2 servers than the module loader. pic.twitter.com/zy92TyYKzs
— Threat Insight (@threatinsight) June 7, 2022
Emotet was initially created as banking trojan in 2014, but later evolved into the TA542 threat group — also known as Mummy Spider — which was used to deliver malware to steal data, spy on and attack other devices on the same network. It was used to drop other notorious malware onto victims computers. In 2020, Check Point Research had flagged the use of the botnet to infect Japanese users with a coronavirus-themed email campaign. In January 2021, a six-nation enforcement team shut down the prolific network and disabled the infrastructure.
However, cybersecurity platform Deep Instinct states that new variants of the Emotet botnet had emerged in the fourth quarter of 2021, with massive phishing campaigns against Japanese businesses in February and March 2022, expanding to new regions in April and May. The Emotet botnet was also allegedly helped by another notorious group that created the Trickbot malware.
According to Deep Instinct, Emotet detections increased more than 2,700 percent in Q1 2022 compared to Q4 2021. Forty-five percent of malware was using a Microsoft Office attachment. Meanwhile, Emotet has begun using Windows PowerShell scripts and almost 20 percent of malware were taking advantage of a 2017 Microsoft Office security flaw.
#Emotet botnet shifted to a higher gear in T1 2022, with its activity growing more than 100-fold vs T3 2021. #ESETresearch detected its biggest campaign on March 16, targeting Japan ????????, Italy ????????, and Mexico ????????. 1/4 pic.twitter.com/NHZtLJ4BfP
— ESET research (@ESETresearch) June 7, 2022
On the other hand, ESET researchers explained that the Emotet botnet activity had grown nearly a hundred-fold compared to 2021, with the biggest campaign detected on March 16, targeting Japan, Italy and Mexico. Microsoft disabled macros in its Office software in April as a security measure, prompting the botnet to use malicious LNK files (Windows shortcuts) and distributing malware via Discord.
In order to lower the chances of being infected by the Emotet botnet, users must make sure their operating system and programs are always up to date, take regular backups of important information stored separately. The malware primarily spreads through malicious email campaigns, so users should avoid opening or clicking on links and downloading attachments from unknown senders.