Emotet Botnet Can Steal Credit Card Info From Google Chrome

Android Virus Malware Cyberthreat AH 2019

According to a new report, the Emotet botnet/malware has begun targeting credit card details stored within Google Chrome user profiles. The malware can reportedly access data including names, card numbers, and expiration month/year from unsuspecting users.

Proofpoint notes that the new Emotet module solely targets the Google Chrome browser

Following the theft of credit card information, Emotet apparently sends the data to the command-and-control (C2) servers. These servers are separate from those used to steal credit card info. This change came after a switch to 64-bit modules in April, in addition to the growing activity of the botnet.

The following week, Emotet began leveraging Windows shortcut files (.LNK) for PowerShell commands to attack devices. This was a shift from Microsoft Office macros, which have been disabled since early April this year, as BleepingComputer notes.


“To our surprise it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected they were exfiltrated to different C2 servers than the module loader,” the Proofpoint Threat Insights team said on Twitter.

Emotet Credit Card Malware

Emotet first appeared on the scene as a banking trojan way back in 2014. It eventually became a botnet that the TA542 threat group, also known as Mummy Spider, utilizes to deliver second-stage payloads. The operators, in this instance, can steal user data, look around the breached network, or even switch over to other vulnerable devices. In the past, Emotet was also responsible for attacking computers using Qbot and Trickbot malware trojan payloads. Attackers then use the payloads to install more malware.


Authorities have scored some victories, however. European agencies like Europol and Eurojust came together in early 2021 to take down Emotet’s infrastructure. This came as part of a joint effort between law enforcement agencies from the U.S., UK, the Netherlands, Germany, France, Lithuania, Canada, and Ukraine. The investigators eventually managed to control Emotet’s servers, thus hindering the botnet’s functioning.

As per Research firm ESET, Emotet’s activity has increased 100-fold since last year

Emotet then came back in November 2021 by tapping into TrickBot’s existing infrastructure. According to Slovakian research firm ESET, Emotet has witnessed more activity since the beginning of 2022. The company said Emotet’s activity has surged “100-fold vs T3 2021.”