The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.
Once the data – including the user’s name, the card’s numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint’s Threat Insight team.
The new card information module is the latest illustration of Emotet’s Lazarus-like return. It’s been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors’ infrastructure in January 2021 and – they hoped – put the malware threat to rest.
However, threat intelligence groups began to report indications that Emotet – attributed to the TA542 threat group, also known as Mummy Spider and Gold Crestwood – had returned, starting in November 2021 .
“The notorious botnet Emotet is back, and we can expect that new tricks and evasion techniques will be implemented in the malware as the operation progresses, perhaps even returning to being a significant global threat,” Ron Ben Yizhak, security researcher with cybersecurity vendor Deep Instinct, wrote in a blog post in November outlining the technical evolutions in the malware.
Emotet’s return to prominence didn’t take long, according to researchers. Cybersecurity firm Check Point wrote that Emotet was the top global malware threat in April 2022, affecting six percent of companies worldwide.
Security software vendor Kaspersky has also spotted the group’s resurgence, in April noting a significant spike in a malicious email campaign designed to spread the Emotet and Qbot malware. The number of emails in the campaigned jumped from about 3,000 in February to about 30,000 a month later.
“The campaign is likely connected to the increasing activity of the Emotet botnet,” Kaspersky analysts wrote in a blog post.
There has been revival of other high-profile malware, notably the REvil ransomware-as-a-service (RaaS), according to Charles Everette, directory of cybersecurity advocacy for Deep Impact. In other instances, groups may break up and reform, coming back under a new name. For example the DarkSide ransomware group that attacked Colonial Pipeline in 2021, which under pressure from the US government disbanded and came back as BlackMatter and then BlackCat.
“[Group] members go off and they create a new one,” Everette told The Register. “Somebody takes the source code, they go over someplace else and they start up a new company.”
Emotet is unique in that it kept its name, he said.
“They got their wings clipped. They’re back again and they are one of the most prolific ones out there again,” Everette said. “These guys know how to do it. They ran this as a service. They were very successful and they’re back again. They’re already very, very successful in just the months that they’re back. They’re re-establishing themselves and they have come back with new tricks in a sense.”
Emotet was first detected in 2014 as a banking trojan designed to steal sensitive and private information. Over the years it developed into a self-propagating and modular trojan that uses phishing as a way into systems and offered as a service to other threat groups. It’s often used to deliver malware payloads of others, including ransomware by such gangs as Ryuk and Conti.
In a blog post Thursday, Deep Impact’s Everette said the company’s researchers found that after re-emerging last year, Emotet attackers in February and March launched massive phishing campaigns targeting Japanese businesses. Then starting in April 2022 set their sights on the United States and Italy. ESET researchers this week wrote in a tweet that Mexico also has been a recent target of Emotet, which had a 100-fold increase in activity in the first quarter this year compared to the third quarter 2021.
Deep Instinct and other cybersecurity vendors also have outlined new techniques being used by the Emotet gang, including new obfuscation capabilities, 64-bit modules and a 900 percent increase in the use of Microsoft Excel macros compared to the fourth quarter 2021.
“The attacks we have seen hitting Japanese victims are using hijacked email threads and then using those accounts as a launch point to trick victims into enabling macros of attached malicious office documents,” Everette wrote. “One of the more troubling behaviors of this ‘new and improved’ Emotet is its effectiveness in collecting and utilizing stolen credentials, which are then being weaponized to further distribute the Emotet binaries.”
They’re also moving their infrastructure out of Europe and to places like Brazil, he told The Register.
In addition, the Emotet group is getting help from those behind the TrickBot trojan, which is helping to get the Emotet infrastructure and malware deployed, he said.
“I’m not surprised that the code is back because it’s good code,” Everette said, adding that the Emotet group kept their code after its infrastructure was shut down. “Then they came back in full force. I’m surprised that they’re coming back as the same entity and doing the same thing, but they’re coming back stronger. They’ve literally regrouped, figured out how to do this better, how to obfuscate themselves.” ®