Security News

The criminals behind the Emotet botnet - which rose to fame as a banking trojan before evolving into spamming and malware delivery - are now using it to target credit card information stored in the Chrome web browser."The notorious botnet Emotet is back, and we can expect that new tricks and evasion techniques will be implemented in the malware as the operation progresses, perhaps even returning to being a significant global threat," Ron Ben Yizhak, security researcher with cybersecurity vendor Deep Instinct, wrote in a blog post in November outlining the technical evolutions in the malware.

The notorious Emotet malware has turned to deploy a new module designed to siphon credit card information stored in the Chrome web browser. The credit card stealer, which exclusively singles out Chrome, has the ability to exfiltrate the collected information to different remote command-and-control servers, according to enterprise security company Proofpoint, which observed the component on June 6.

The Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to harvest credit card information stored in Google Chrome user profiles. After stealing the credit card info, the malware will send it to command-and-control servers different than the ones the Emotet card stealer module.

The latest global HP Wolf Security Threat Insights Report - which provides analysis of real-world cybersecurity attacks - shows that Emotet has bolted up 36 places to become the most common malware family detected this quarter. Signs indicate HTML smuggling on the rise: The median file size of HTML threats grew from 3KB to 12KB, suggesting a rise in the use of HTML smuggling, a technique where cybercriminals embed malware directly into HTML files to bypass email gateways and evade detection, before gaining access and stealing critical financial information.

Abuse of trust relationships, even those as minute as the domain name for a hotel you may have stayed at two months ago, will yield better results for the actor attempting to convince an executive to interact with their email lure. The message appears to originate from a historic hotel, Hotel Warner, which opened in 1930, this hotel has been a member of "Historic Hotels of America" since 2016.

The Japan CERT has released a new version of their EmoCheck utility to detect new 64-bit versions of the Emotet malware that began infecting users this month. Emotet is one of the most actively distributed malware spread through emails using phishing emails with malicious attachments, including Word/Excel documents, Windows shortcuts, ISO files, and password-protected zip files.

Emotet malware attacks are back after a 10-month "Spring break" - with criminals behind the attack rested, tanned and ready to launch a new campaign strategy. The latest activity observed by researchers occurred while Emotet was on a "Spring break." Efforts were lowkey and likely an attempt to test new tactics without drawing attention.

Although it had previously been foiled by a global law enforcement effort, it looks like Emotet malware has returned behind a new campaign. New findings from cybersecurity company Check Point show that Emotet has reemerged since November 2021 as the most prevalent form of malware through an aggressive email drive using Easter themed phishing scams to distribute the botnet.

The Emotet botnet is now using Windows shortcut files containing PowerShell commands to infect victims computers, moving away from Microsoft Office macros that are now disabled by default. LNK files is not new, as the Emotet gang previously used them in a combination with Visual Basic Script code to build a command that downloads the payload. However, this is the first time that they utilized Windows shortcuts to directly execute PowerShell commands.

The threat actor behind the prolific Emotet botnet is testing new attack methods on a small scale before co-opting them into their larger volume malspam campaigns, potentially in response to Microsoft's move to disable Visual Basic for Applications macros by default across its products. Calling the new activity a "Departure" from the group's typical behavior, ProofPoint alternatively raised the possibility that the latest set of phishing emails distributing the malware show that the operators are now "Engaged in more selective and limited attacks in parallel to the typical massive scale email campaigns."