Google chrome

New Emotet variant stealing credit card information from Google Chrome users

Image source: Toptal

The notorious Emotet malware has turned to deploying a new module designed to siphon credit card information stored in the Chrome web browser.

The credit card thief, which exclusively targets Chrome, has the ability to exfiltrate collected information to different remote command and control (C2) servers, according to the enterprise security firm point of proofwho observed the component on 6 June.

The development comes amid a spike in Emotet activity since it was resurrected late last year after a 10-month hiatus following a law enforcement operation that destroyed its attack infrastructure in January 2021.

Emotet, attributed to a threat actor known as TA542 (aka Mummy Spider or Gold Crestwood), is an advanced, self-propagating and modular Trojan that is distributed via email campaigns and is used as a distributor for other payloads such as ransomware.

cyber security

As of April 2022, Emotet is still the most popular malware with an overall impact of 6% of organizations worldwide, followed by Formbook and AgentTeslaby Checkpointthe malware testing new delivery methods using OneDrive URLs and PowerShell in .LNK attachments to bypass Microsoft’s macro restrictions.

Chrome Password Stealer

The steady growth in Emotet-related threats is further supported by the fact that the number of phishing emails, often hijacking already existing correspondence, has increased from 3,000 in February 2022 to around 30,000 in March targeting organizations in various countries as part of a large-scale spam campaign.

Stating that Emotet business “shifted into high gear” in March and April 2022, ESET said detections increased 100-fold, recording growth of over 11,000% in the first four months of the year compared to the previous three. period of one month from September to December 2021.


Some of the common targets since the botnet’s resurrection are Japan, Italy and Mexico, the Slovak cybersecurity firm noted, adding that the biggest surge was recorded on March 16, 2022.

“The size of the latest Emotet LNK and XLL campaigns was significantly lower than those distributed via compromised DOC files seen in March,” Dušan Lacika, Principal Detection Engineer at Dušan Lacika, said.

cyber security

“This suggests operators are only utilizing a fraction of the botnet’s potential while testing new delivery vectors that could replace the now disabled VBA macros by default.”

The findings also come as CyberArk researchers demonstrated a new technical to pull plaintext credentials directly from memory in Chromium-based web browsers.

Chrome Password Stealer

“Credentials are stored in Chrome’s memory in plain text format,” CyberArk’s Zeev Ben Porat said. “In addition to data entered dynamically when logging into specific web applications, an attacker can cause the browser to load into memory any passwords stored in the password manager.”

This also includes cookie information such as session cookies, potentially allowing an attacker to extract the information and use it to hijack user accounts even when protected by multi-factor authentication.