Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


Emotet Malware Now Steals Credit Cards from Google Chrome Users

The Emotet botnet has been seen delivering a credit card stealer module to infected systems as part of its post-compromise activity, according to new reports. The module is designed to harvest credit card information that is stored in Google Chrome user profiles.

The credit card stealer module in question appears to be specifically targeted towards Google Chrome. Once the credit card information has been extracted from the user’s Chrome profile, the malware sends it back to its command-and-control (C2) server. However, the C2 server it sends the information to is different than the one that deployed the card stealer.

Emotet has seen a massive increase in activity since the start of this year, growing more than 100-fold since last year. The malware family will likely continue to evolve and adapt to industry changes and its own shifting goals and priorities.

Analyst Notes

Due to the insecure nature of how they are stored and the numerous malware families that are built to steal them, storing sensitive pieces of information (such as passwords or credit card numbers) in web browsers is not recommended. Instead, it is much better to store them in something like a password manager if storage is required. This can help prevent malware from infecting a system and easily extracting sensitive material from the user. Since Emotet is mostly delivered via phishing emails, it is important to maintain proper email security controls to help prevent malicious items from reaching end users. This would include such things as AV scanning and attachment sandboxing or filtering. If a phishing email does reach an end user’s system, it is important to have proper endpoint security controls configured as well. This includes not only preventative measures, but detective as well. Activity performed by Emotet during both infection and post-infection can be monitored for and alerted upon. Behavior like powershell.exe spawning a regsvr32.exe or rundll32.exe process, regsvr32.exe or rundll32.exe making abnormal network callouts, or suspicious Run Registry keys being created are all behaviors that can be alerted upon. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.