The Emotet botnet is now trying to infect victims with a credit card stealer module that can collect credit card information stored in Google Chrome user profiles.
After stealing the credit card info which includes name, expiration month and year and card numbers, the malware will send it to command-and-control (C2) servers different from the ones the Emotet card stealer module uses.
The researchers at Proofpoint observed the new Emotet module being dropped by the E4 botnet, which was a credit card stealer that was solely targeting the Chrome browser.
This behavior change comes after increasing activity during April and a switch to 64-bit modules, as spotted by the Cryptolaemus security research group.
One week later, Emotet started using Windows shortcut files (.LNK) to execute PowerShell commands to infect victims’ devices, moving away from Microsoft Office macros now disabled by default starting with early April 2022.
The Emotet malware is attributed to a threat actor known as TA542 (aka Mummy Spider or Gold Crestwood and was developed and deployed in attacks as a banking trojan in 2014.
It allows its operators to steal user data, perform reconnaissance on breached networks, and move laterally to vulnerable devices.
Emotet is known for dropping Qbot and Trickbot malware trojan payloads on victims’ compromised computers, which are used to deploy additional malware, including Cobalt Strike beacons and ransomware such as Ryuk and Conti.
Emotet’s infrastructure was taken down in early 2021 in an international law enforcement action. The botnet came back in November 2021 using TrickBot’s already existing infrastructure.