Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New Emotet variant uses a module to steal data from Google Chrome

Researchers spotted a new variant of the Emotet bot that uses a new module to steal credit card information stored in the Chrome web browser. Proofpoint researchers reported a new wave of Emotet infections, in particular, a new variant is using a new info-stealing module used to siphon credit card information stored in the Chrome […]

Emotet botnet new technique

Researchers spotted a new variant of the Emotet bot that uses a new module to steal credit card information stored in the Chrome web browser.

Proofpoint researchers reported a new wave of Emotet infections, in particular, a new variant is using a new info-stealing module used to siphon credit card information stored in the Chrome browser.

Once the card data were gathered, the module exfiltrates it to C2 servers that are different from the loader module.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as ContiProLockRyuk, and Egregor.

In April, the operators of the infamous Emotet botnet started testing new attack techniques in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default.

The operators used the new technique in a low-volume Emotet campaign spotted by Proofpoint that leveraged a compromised sender’s account and the emails were not sent by the Emotet spam module. The campaign was observed between April 4, 2022, and April 19, 2022. The messages used simple words as subject such as “Salary”. The messages include OneDrive URLs pointing zip files containing Microsoft Excel Add-in (XLL) files.

“The zip archives and XLL files used the same lures as the email subjects, such as “Salary_new.zip.” This particular archive contained four copies of the same XLL file with names such as “Salary_and_bonuses-04.01.2022.xll”. The XLL files, when executed, drop and run Emotet leveraging the Epoch 4 botnet.” continues the analsys. 

The execution of the Microsoft Excel Add-in (XLL) files in the ZIP archives allows to drop and run the Emotet payload.

Researchers from Kaspersky reported that malicious spam campaigns spreading Qbot and Emotet malware and targeting organizations grew 10-fold between February and March.

“Kaspersky has unveiled a significant spike in activity from a malicious spam-email campaign, which spreads the dangerous malware Emotet and Qbot and targets corporate users. The number of such malicious emails grew from around 3,000 in February 2022 to approximately 30,000 in March. The campaign is likely connected to the increasing activity of the Emotet botnet.” states Kaspersky.

Most of the malspam messages were written in English, French, Hungarian, Italian, Norwegian, Polish, Russian, Slovenian, and Spanish languages.

Researcher Cryptolaemus

Researchers from Kroll reported that since April 22, 2022, the Emotet operators have introduced some changes to the delivery mechanism of the loader.

The experts also observed threat actors exploring new ways of delivering malware to victims such as:

  • Use of .ISO containers to remove MOTW from documents or to bypass inline email defenses, which has notably been used by the IcedID malware
  • Continued use of password-protected .zip attachments, as these are typically unable to be inspected by inline email security tooling

“Although undoubtedly bruised by last year’s disruption, Emotet is certainly not dead. We assess that the Emotet developers will likely keep experimenting with new infection chains at this increased cadence. We also assess that the Emotet operators will move forward with large spam campaigns in order to rebuild the botnet, thus allowing them to sell the initial access they have gained to realize their return on investment.” states Kroll.

“Although undoubtedly bruised by last year’s disruption, Emotet is certainly not dead. We assess that the Emotet developers will likely keep experimenting with new infection chains at this increased cadence.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet)

[adrotate banner=”5″]

[adrotate banner=”13″]