Emotet botnet operators have updated their malware to include a new credit card stealer module targeted at stealing credit card information stored in Google Chrome alone, BleepingComputer reports.
Proofpoint Threat Insights researchers discovered that the new module harvests information, including names, card numbers, and expiration dates, which are then exfiltrated to command-and-control servers that were different from the ones leveraged by the module loader. The updated module follows Cryptolaemus researchers' reports of Emotet's elevated activity in April, which coincided with its transition to 64-bit modules, as well as its use of .LNK files for PowerShell command execution.
Since its emergence in 2014, Emotet has since been leveraged by Mummy Spider, also known as TA542, for second-stage payload delivery. Emotet has also been used to facilitate Qbot and Trickbot malware deployment prior to being taken down early last year.
However, existing Trickbot infrastructure has allowed Emotet's comeback in November, with ESET reporting an over 100 times increase in Emotet activity between T3 2021 and T1 2022.
Organizations in the government, real estate, telecommunications, retail, and other sectors across the U.S., Africa, and the Middle East have been subjected to intrusions under the new CL-STA-0002 threat cluster.
BBC News reports that major online travel agency Booking.com had its customers in the U.S., UK, and other parts of the world impacted by fraud following a social engineering attack that involved the deployment of the Vidar information-stealing malware.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news