The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.
Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.
The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.
However, threat intelligence groups began to report indications that Emotet – attributed to the TA542 threat group, also known as Mummy Spider and Gold Crestwood – had returned, starting in November 2021 .
"The notorious botnet Emotet is back, and we can expect that new tricks and evasion techniques will be implemented in the malware as the operation progresses, perhaps even returning to being a significant global threat," Ron Ben Yizhak, security researcher with cybersecurity vendor Deep Instinct, wrote in a blog post in November outlining the technical evolutions in the malware.
Emotet's return to prominence didn't take long, according to researchers. Cybersecurity firm Check Point wrote that Emotet was the top global malware threat in April 2022, affecting six percent of companies worldwide.
Security software vendor Kaspersky has also spotted the group's resurgence, in April noting a significant spike in a malicious email campaign designed to spread the Emotet and Qbot malware. The number of emails in the campaigned jumped from about 3,000 in February to about 30,000 a month later.
"The campaign is likely connected to the increasing activity of the Emotet botnet," Kaspersky analysts wrote in a blog post.
There has been revival of other high-profile malware, notably the REvil ransomware-as-a-service (RaaS), according to Charles Everette, directory of cybersecurity advocacy for Deep Impact. In other instances, groups may break up and reform, coming back under a new name. For example the DarkSide ransomware group that attacked Colonial Pipeline in 2021, which under pressure from the US government disbanded and came back as BlackMatter and then BlackCat.
"[Group] members go off and they create a new one," Everette told The Register. "Somebody takes the source code, they go over someplace else and they start up a new company."
Emotet is unique in that it kept its name, he said.
"They got their wings clipped. They're back again and they are one of the most prolific ones out there again," Everette said. "These guys know how to do it. They ran this as a service. They were very successful and they're back again. They're already very, very successful in just the months that they're back. They're re-establishing themselves and they have come back with new tricks in a sense."
Emotet was first detected in 2014 as a banking trojan designed to steal sensitive and private information. Over the years it developed into a self-propagating and modular trojan that uses phishing as a way into systems and offered as a service to other threat groups. It's often used to deliver malware payloads of others, including ransomware by such gangs as Ryuk and Conti.
In a blog post Thursday, Deep Impact's Everette said the company's researchers found that after re-emerging last year, Emotet attackers in February and March launched massive phishing campaigns targeting Japanese businesses. Then starting in April 2022 set their sights on the United States and Italy. ESET researchers this week wrote in a tweet that Mexico also has been a recent target of Emotet, which had a 100-fold increase in activity in the first quarter this year compared to the third quarter 2021.
Deep Instinct and other cybersecurity vendors also have outlined new techniques being used by the Emotet gang, including new obfuscation capabilities, 64-bit modules and a 900 percent increase in the use of Microsoft Excel macros compared to the fourth quarter 2021.
"The attacks we have seen hitting Japanese victims are using hijacked email threads and then using those accounts as a launch point to trick victims into enabling macros of attached malicious office documents," Everette wrote. "One of the more troubling behaviors of this 'new and improved' Emotet is its effectiveness in collecting and utilizing stolen credentials, which are then being weaponized to further distribute the Emotet binaries."
They're also moving their infrastructure out of Europe and to places like Brazil, he told The Register.
In addition, the Emotet group is getting help from those behind the TrickBot trojan, which is helping to get the Emotet infrastructure and malware deployed, he said.
"I'm not surprised that the code is back because it's good code," Everette said, adding that the Emotet group kept their code after its infrastructure was shut down. "Then they came back in full force. I'm surprised that they're coming back as the same entity and doing the same thing, but they're coming back stronger. They've literally regrouped, figured out how to do this better, how to obfuscate themselves." ®
Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.
The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.
This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.
The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.
You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.
As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.
Akamai has spoken of a distributed denial of service (DDoS) assault against one of its customers during which the attackers astonishingly claimed to be associated with REvil, the notorious ransomware-as-a-service gang.
REvil was behind the JBS and Kaseya malware infections last year. In January, Russia reportedly dismantled REvil's networks and arrested 14 of its alleged members, theoretically putting an end to the criminal operation.
Beginning in late April, however, the same group of miscreants — or some copycats — appeared to resume their regularly scheduled ransomware activities with a new website for leaking data stolen from victims, and fresh malicious code.
Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.
Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.
The anticipated result will be fewer extensions and less innovation, according to several extension developers.
In brief Last month the notorious Russian ransomware gang Conti threatened to overthrow Costa Rica's government if a ransom wasn't paid. This month, another band of extortionists has attacked the nation.
Fresh off an intrusion by Conti last month, Costa Rica has been attacked by the Hive ransomware gang. According to the AP, Hive hit Costa Rica's Social Security system, and also struck the country's public health agency, which had to shut down its computers on Tuesday to prevent the spread of a malware outbreak.
The Costa Rican government said at least 30 of the agency's servers were infected, and its attempt at shutting down systems to limit damage appears to have been unsuccessful. Hive is now asking for $5 million in Bitcoin to unlock infected systems.
In brief Somerset County, New Jersey, was hit by a ransomware attack this week that hobbled its ability to conduct business, and also cut off access to essential data.
"Services that depend on access to county databases are temporarily unavailable, such as land records, vital statistics, and probate records. Title searches are possible only on paper records dated before 1977," the county said in a statement.
The attack, which happened on Tuesday, took down email services for county government departments as well as leaving the county clerk's office "unable to provide most services which are reliant on internet access." Somerset County residents were asked to contact government offices via Gmail addresses set up for various departments, or via phone.
An emailed report seemingly about a payment will, when opened in Excel on a Windows system, attempt to inject three pieces of file-less malware that steal sensitive information.
Researchers with Fortinet's FortiGuard Labs threat intelligence unit have been tracking this mailspam campaign since May, outlining how three remote access trojans (RATs) are fired into the system once the attached file is opened in Excel. From there, the malicious code will not only steal information, but can also remotely control aspects of the PC.
The first of the three pieces of malware is AveMariaRAT (also known as Warzone RAT), followed by Pandora hVCN RAT and BitRAT.
Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.
ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.
"ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."
In what is either a creepy, weird spin on Robin Hood or something from a Black Mirror episode, we're told a ransomware gang is encrypting data and then forcing each victim to perform three good deeds before they can download a decryption tool.
The so-called GoodWill ransomware group, first identified by CloudSEK's threat intel team, doesn't appear to be motivated by money. Instead, it is claimed, they require victims to do things such as donate blankets to homeless people, or take needy kids to Pizza Hut, and then document these activities on social media in photos or videos.
"As the threat group's name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons," according to a CloudSEK analysis of the gang.
While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.
Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.
In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2022