New Emotet variant uses a module to steal data from Google Chrome

Researchers spotted a new variant of the Emotet bot that uses a new module to steal credit card information stored in the Chrome web browser.

Proofpoint researchers reported a new wave of Emotet infections, in particular, a new variant is using a new info-stealing module used to siphon credit card information stored in the Chrome browser.

Once the card data were gathered, the module exfiltrates it to C2 servers that are different from the loader module.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as Conti, ProLock, Ryuk, and Egregor.

In April, the operators of the infamous Emotet botnet started testing new attack techniques in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default.

The operators used the new technique in a low-volume Emotet campaign spotted by Proofpoint that leveraged a compromised sender’s account and the emails were not sent by the Emotet spam module. The campaign was observed between April 4, 2022, and April 19, 2022. The messages used simple words as subject such as “Salary”. The messages include OneDrive URLs pointing zip files containing Microsoft Excel Add-in (XLL) files.

“The zip archives and XLL files used the same lures as the email subjects, such as “Salary_new.zip.” This particular archive contained four copies of the same XLL file with names such as “Salary_and_bonuses-04.01.2022.xll”. The XLL files, when executed, drop and run Emotet leveraging the Epoch 4 botnet.” continues the analsys. 

The execution of the Microsoft Excel Add-in (XLL) files in the ZIP archives allows to drop and run the Emotet payload.

Researchers from Kaspersky reported that malicious spam campaigns spreading Qbot and Emotet malware and targeting organizations grew 10-fold between February and March.

“Kaspersky has unveiled a significant spike in activity from a malicious spam-email campaign, which spreads the dangerous malware Emotet and Qbot and targets corporate users. The number of such malicious emails grew from around 3,000 in February 2022 to approximately 30,000 in March. The campaign is likely connected to the increasing activity of the Emotet botnet.” states Kaspersky.

Most of the malspam messages were written in English, French, Hungarian, Italian, Norwegian, Polish, Russian, Slovenian, and Spanish languages.

Researcher Cryptolaemus

Researchers from Kroll reported that since April 22, 2022, the Emotet operators have introduced some changes to the delivery mechanism of the loader.

The experts also observed threat actors exploring new ways of delivering malware to victims such as:

• Use of .ISO containers to remove MOTW from documents or to bypass inline email defenses, which has notably been used by the IcedID malware
• Continued use of password-protected .zip attachments, as these are typically unable to be inspected by inline email security tooling

“Although undoubtedly bruised by last year’s disruption, Emotet is certainly not dead. We assess that the Emotet developers will likely keep experimenting with new infection chains at this increased cadence. We also assess that the Emotet operators will move forward with large spam campaigns in order to rebuild the botnet, thus allowing them to sell the initial access they have gained to realize their return on investment.” states Kroll.

“Although undoubtedly bruised by last year’s disruption, Emotet is certainly not dead. We assess that the Emotet developers will likely keep experimenting with new infection chains at this increased cadence.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet)

[adrotate banner=”5″]

[adrotate banner=”13″]