The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spam and malware distribution – are now using it to target credit card information stored in the Chrome web browser.
Once the data – including user name, card numbers and expiration information – is exfiltrated, the malware will send it to different command and control (C2) servers than the one used by the card theft module, according to the researchers. with the Threat Insight team from cybersecurity provider Proofpoint.
The new Card Info Mod is the latest illustration of Emotet’s Lazarus-like return. It’s been over a year since Europol and law enforcement from countries like the US, UK and Ukraine destroyed the infrastructure of Emotet players in January 2021 and – hoped – they – ended the threat of malware.
However, threat intelligence groups have started reporting indications that Emotet – attributed to threat group TA542, also known as Mummy Spider and Gold Crestwood – has returned, as of November 2021.
“The notorious Emotet botnet is back, and we can expect new tricks and evasion techniques to be implemented in the malware as the operation progresses, perhaps even becoming a significant global threat,” said Ron Ben Yizhak, security researcher at cybersecurity provider Deep. Instinct, written in a blog post in November describing the technical evolutions of the malware.
Emotet’s return to the limelight didn’t take long, according to researchers. Check Point cybersecurity firm wrote that Emotet was the top global malware threat in April 2022, affecting 6% of organizations worldwide.
Security software maker Kaspersky has also spotted the group’s resurgence, noting in April a major spike in a malicious email campaign designed to spread Emotet and Qbot malware. The number of emails in the campaign rose from around 3,000 in February to around 30,000 a month later.
“The campaign is likely related to the growing activity of the Emotet botnet,” Kaspersky analysts wrote in a blog post.
According to Charles Everette, Cybersecurity Defense Directory for Deep Impact, there has been a revival of other high-profile malware, including ransomware-as-a-service (RaaS) REvil. In other cases, groups may split off and reform, returning under a new name. For example, the DarkSide ransomware group that attacked Colonial Pipeline in 2021, which under pressure from the US government disbanded and reverted to BlackMatter and then BlackCat.
“[Group] members leave and they create a new one,” Everette said. The register. “Somebody takes the source code, they go somewhere else, and they start a new company.”
Emotet is unique in that it has retained its name, he said.
“They got their wings clipped. They’re back and they’re among the most prolific again,” Everette said. “These guys know how to do it. They handled it like a service. They had a lot of success and they’re back. They’ve already done very, very well in the months since their return. They’re re-s ‘establish and they came back with new stuff in a way.”
Emotet was first detected in 2014 as a banking Trojan designed to steal sensitive and private information. Over the years, it has evolved into a self-propagating, modular Trojan that uses phishing as a means of gaining access to systems and is offered as a service to other threat groups. It is often used to deliver malware payloads from others, including ransomware by gangs such as Ryuk and Conti.
In a blog post On Thursday, Deep Impact’s Everette said the company’s researchers found that after their reappearance last year, Emotet attackers launched massive phishing campaigns targeting Japanese companies in February and March. Then from April 2022, they set their sights on the United States and Italy. ESET researchers wrote this week in a Tweeter that Mexico has also been a recent target of Emotet, whose activity has increased 100 times in the first quarter of this year compared to the third quarter of 2021.
Deep Instinct and other cybersecurity vendors also described new techniques used by the Emotet gang, including new obfuscation capabilities, 64-bit modules, and a 900% increase in the use of Microsoft Excel macros compared to the fourth quarter of 2021.
“Attacks we’ve seen hitting Japanese victims use hijacked chat threads and then use those accounts as a launching point to trick victims into enabling macros of malicious office document attachments,” Everette wrote. “One of the most troubling behaviors of this ‘new and improved’ Emotet is its effectiveness in collecting and using stolen credentials, which are then weaponized to further distribute Emotet binaries.”
They are also moving their infrastructure out of Europe and to places like Brazil, he said. The register.
Additionally, the Emotet group is receiving help from those behind the TrickBot Trojan, which helps deploy the Emotet infrastructure and malware, he said.
“I’m not surprised the code is back because it’s good code,” Everette said, adding that the Emotet Group kept its code after its infrastructure was shut down. “Then they came back strong. I’m surprised they came back as the same entity and did the same thing, but they came back stronger. They literally regrouped, figured out how to do this better, how to darken each other.” ®