Emotet botnet operators have updated their malware to include a new credit card stealer module targeted at stealing credit card information stored in Google Chrome alone, BleepingComputer reports.
Proofpoint Threat Insights researchers discovered that the new module harvests information, including names, card numbers, and expiration dates, which are then exfiltrated to command-and-control servers that were different from the ones leveraged by the module loader. The updated module follows Cryptolaemus researchers' reports of Emotet's elevated activity in April, which coincided with its transition to 64-bit modules, as well as its use of .LNK files for PowerShell command execution.
Since its emergence in 2014, Emotet has since been leveraged by Mummy Spider, also known as TA542, for second-stage payload delivery. Emotet has also been used to facilitate Qbot and Trickbot malware deployment prior to being taken down early last year.
However, existing Trickbot infrastructure has allowed Emotet's comeback in November, with ESET reporting an over 100 times increase in Emotet activity between T3 2021 and T1 2022.