Earlier this week, several security vendors caught wind of the reemergence of the dangerous Emotet botnet after it was taken down in a global operation involving multiple countries led by Europol, and the US, in 2021. In its breakdown of the new Emotet variant, Proofpoint observed that it includes a new module designed to extract credit card details stored in the victim’s web browser. “To our surprise [the new Emotet botnet] was a credit card stealer that was solely targeting the Chrome browser,” tweeted Proofpoint. “Once card details were collected, they were exfiltrated to [attack servers controlled by cybercriminals].”
Back From the Dead
Charles Everette, Director of Cyber Advocacy at Deep Instinct, told Lifewire over email that Emotet, one of the most prolific malware variants since 2014, now has quite a few new tricks and attack vectors in its arsenal. “One of the more troubling behaviors that Deep Instinct threat researchers found was [Emotet’s] increased effectiveness in collecting and utilizing stolen credentials,” pointed out Everette. Although Emotet still utilizes many of the same attack vectors it has previously exploited, Everette said these attacks are now more sophisticated, and some can even bypass standard security tools. “[Some of these attacks] are never-before-seen threats, meaning they are completely unknown,” said Everett. “Combine that with their new obfuscation capabilities, [and features such as the] credit card harvesting capabilities from Chrome, means Emotet is a bigger threat than ever before.” The fact that the malware goes after Chrome, in particular, doesn’t surprise Dahvid Schloss, Managing Lead, Offensive Security, at Echelon Risk + Cyber. In an email exchange with Lifewire, Schloss said the attack appears to exploit a long-standing issue in Chrome. “It has been around for a very long time—2015 [was] the first time [I saw] an article written about it,” said Schloss. “But chrome has refused to resolve it as they state it requires an attacker to already be on the machine to exploit.” Breaking down the issue, Schloss explained it exists because Chrome temporarily stores data, including passwords, within its allocated memory space in plain text. “If an attacker was able to [download] the memory into a file, they could parse the information to look for stored passwords as well as other interesting strings like, say, a credit card [number],” explained Schloss.
Easy to Identify
According to Deep Instinct, Emotet was prolific throughout 2019 and 2020, taking advantage of prevailing hot topics as a ruse to convince unsuspecting victims to open malicious phishing emails. To help us identify a strategy to guard ourselves against the new Emotet variant, Pete Hay, Instructional Lead at cybersecurity testing and training company SimSpace, told Lifewire over email that the fact that even the new malware variant spreads through a series of spear-phishing email attacks is “oddly good news.” “Most people have become good at identifying emails that don’t quite seem right,” argued Hay. “The presence of archive files that are password protected, and email sender addresses that don’t match the others in the email chain, are elements that should raise a significant red flag.” In essence, Hay believed being vigilant of all incoming emails should be enough to prevent the initial foothold the new Emotet variant needs to compromise computers. “As for the Emotet threat against Chrome specifically, switching to Brave or Firefox will eliminate that risk,” added Hay. Schloss, however, suggested that the best option for people to eliminate the risk of their browsers leaking passwords is to not save any sensitive information in these apps in the first place, even if they don’t use Chrome. “[Instead, use] a strong third-party privilege information storage app like LastPass… [that] allows the user to securely store their passwords and credit card numbers, so they don’t have to write or save them in vulnerable spots,” advised Schloss.
