Search This Blog

Showing posts with label Emotnet. Show all posts

New Emotet Variant Capturing Users' Credit Card Data from Google Chrome

 

The infamous Emotet malware has deployed a new module aimed to steal credit card data saved in the Chrome web browser. According to corporate security firm Proofpoint, which discovered the component on June 6, the credit card stealer, which only targets Chrome, has the capacity to exfiltrate the acquired information to several remote command-and-control (C2) servers. 

The news comes amid a surge in Emotet activity since it was reactivated late last year after a 10-month pause caused by a law enforcement operation that destroyed its attack infrastructure in January 2021. Emotet, attributed to the threat actor TA542 (aka Mummy Spider or Gold Crestwood), is a sophisticated, self-propagating, and modular trojan that is distributed via email campaigns. 

According to Check Point, as of April 2022, Emotet is still the most renowned malware, with a global impact of 6% of organisations worldwide, followed by Formbook and Agent Tesla, with the malware testing new delivery methods using OneDrive URLs and PowerShell in.LNK attachments to circumvent Microsoft's macro restrictions. 

The steady increase in Emotet-related threats is further supported by the fact that the number of phishing emails, which frequently hijack existing correspondence, increased from 3,000 in February 2022 to approximately 30,000 in March, targeting organisations in various countries as part of a large-scale spam campaign. ESET stated that Emotet activity "shifted to a higher gear" in March and April 2022 and that detections increased 100-fold, indicating an 11,000 percent increase during the first four months of the year when compared to the preceding three-month period from September to December 2021. 

Japan, Italy, and Mexico have been frequent targets since the botnet's revival, according to the Slovak cybersecurity firm, with the largest wave recorded on March 16, 2022. 

Dušan Lacika, the senior detection engineer at Dušan Lacika, said, "The size of Emotet's latest LNK and XLL campaigns was significantly smaller than those distributed via compromised DOC files seen in March. This suggests that the operators are only using a fraction of the botnet's potential while testing new distribution vectors that could replace the now disabled-by-default VBA macros." 

Researchers from CyberArk also revealed a novel approach for extracting plaintext credentials directly from memory in Chromium-based web browsers. 

"Credential data is stored in Chrome's memory in cleartext format. In addition to data that is dynamically entered when signing into specific web applications, an attacker can cause the browser to load into memory all the passwords that are stored in the password manager," CyberArk's Zeev Ben Porat said.

This includes cookie-related information such as session cookies, which an attacker might harvest and utilise to hijack users' accounts even if they are secured by multi-factor authentication.

Emotet Malware Campaign Masquerades the IRS for 2022 Tax Season

 

The Emotet malware botnet is taking advantage of the 2022 tax season in the United States by mailing out fraudulent emails posing as the Internal Revenue Service, which is supposed to be issuing tax forms or federal returns. 

Emotet is a malware infection spread via phishing emails with malicious macros attached to Word or Excel documents. When the user opens these documents, they will be misled into allowing macros that will install the Emotet malware on the device. Emotet will capture victims' emails to use in future reply-chain attacks, send more spam emails, and eventually install other malware that could lead to a Conti ransomware assault on the targeted network once it is implemented. 

Researchers have discovered various phishing attempts masquerading the Internet Revenue Service (IRS.gov) that use lures relevant to the 2022 US tax season, according to a recent analysis by email security firm Cofense. These emails ostensibly come from the IRS, and they claim to be sending the recipient their 2021 Tax Return, W-9 forms, and other tax documents that are often needed during tax season. 

While the subject lines and content of IRS-themed emails vary, the fundamental notion is that the IRS is contacting the company with either finished tax forms or ones that one must fill out and return. Zip files or HTML pages that lead to zip files are attached to the emails and are password-protected to avoid detection by secure email gateways. Third-party archive programs like 7-Zip, on the other hand, have no trouble extracting the files. 

A 'W-9 form.xslm' Excel file is included in the zip files, and when viewed, it prompts the user to click the "Enable Editing" and "Enable Content" buttons to see the document correctly. When a user clicks one of these buttons, malicious macros are launched, downloading and installing the Emotet virus from hacked WordPress sites. Once Emotet is loaded, it will download further payloads, which in recent campaigns have mostly been Cobalt Strike. 

Emotet has also dropped the SystemBC remote access Trojan, according to Cryptolaemus, an Emotet research organisation. With the Conti Ransomware gang now developing Emotet, all businesses, large and small, should be on the watch for these phishing tactics, which can escalate to ransomware assaults and data theft. It's important to remember that the IRS never sends unsolicited emails and only communicates via postal mail. As a result, if anyone receives an email from the IRS purporting to be from the IRS, flag it as spam and delete it.