Emonet malware now attacks Chrome Browser

Emonet malware was widely named during the year 2020. However, after a major operation by the authorities, the attack infrastructure of this Trojan was dismantled. At the end of 2021, it appeared again, and this year it has been very active. It is currently attacking Chrome to steal users’ credit card information, which Google’s browser stores. Get to know all the details of this new activity with the following lines.

Read: Symbiote is the new malware on Linux

Emonet steals card information stored in Chrome

Definitely, if we talk about a chameleon trojan, Emonet should be in the top 5. It is currently showing a new module that was designed to divert credit card information that many users store in the Google browser. So far, it is known that this malware is only targeting Chrome and has the ability to exfiltrate the collected information to different remote command-and-control (C2) servers; everything was disclosed by the cybersecurity firm Proofpoint which discovered the new modality on the 6th of this month.

Originally, Emonet is a very advanced Trojan that is capable of self-propagation, usually distributed through email campaigns. And it is usually accompanied by other threats such as ransomware. So far, it is attributed to the cybercriminal known as TA542, Mummy Spider, or Gold Crestwood. One of its achievements is that this is the most popular malware in the cybercriminal world and is attributed to 6% of attacks on organizations worldwide.

This Trojan continues to test new forms of attack and distribution using OneDrive URLs and PowerShell in .LNK attachments to get around Microsoft’s macro restrictions. This is also due to the increase in phishing emails that grew from 3,000 in February to close to 30,000 in March, targeting organizations in various countries as part of a mass-scale spam campaign.

“The size of Emotet’s latest LNK and XLL campaigns was significantly smaller than those distributed via compromised DOC files seen in March,” ESET researcher Dušan Lacika said. “This suggests that the operators are only using a fraction of the botnet’s potential while testing new distribution vectors that could replace the now disabled-by-default VBA macros.”

There’s also a report from CyberARK researchers, demonstrating a new technique that extracts plaintext credentials directly from memory in Chromium-based web browsers. “Credential data is stored in Chrome’s memory in cleartext format,” CyberArk’s Zeev Ben Porat said in a statement. “In addition to data that is dynamically entered when signing into specific web applications, an attacker can cause the browser to load into memory all the passwords that are stored in the password manager.”

And this technique also includes information from cookies, especially those used to log in to different accounts, which would allow any hacker to gain access to user accounts even when multi-factor authentication is activated.

Keep in touch with our blog to read the latest news and innovations in the cybersecurity world.