New Emotet Malware Stealing Credit Cards Info from Google Chrome users.

Microsoft® Windows OS Chrome OS Google
Advisory ID:
June 17, 2022


Emotet has evolved since its first appearance in 2014, causing significant damage in its wake. From a Trojan that targeted banking apps to one of the first Malware-as-a-Service (MaaS) botnets that infected a large number of devices and then sold access to third parties. It is currently stealing credit card information while evading security measures. The "improved" version of Emotet is engaging in "disturbing" behavior, effectively collecting and using stolen credentials, which are then weaponized to further distribute the Emotet binaries.

Description & Consequence

The malware is distributed via an elaborate phishing campaign that includes malware-laden attachments – most of which are Microsoft Office files. Among the other attachments are archives, executables, and scripts. To gain access, the malware exploits the Microsoft Office Memory corruption vulnerability, CVE-2017-11882. An Office attachment is used to detect 45 percent of this malware. There were 33 percent spreadsheets, 29 percent executables and scripts, 22 percent archives, and 11 percent documents among these attachments. Additionally, 14 percent of the email malware has bypassed at least one email gateway security scanner before it was captured. Other notable differences in Emotet's latest incarnation include the use of 64-bit shell code in attacks, as well as more advanced PowerShell and active scripts.

The Emotet Botnet is intended to steal credit card information from Google Chrome user profiles. The credit card stealer module appears to be designed specifically for Google Chrome. The malware sends the credit card information extracted from the user's Chrome profile back to its command-and-control (C2) server. However, the C2 server to which the information is sent is not the same as the one that deployed the card stealer.

Card information such as card numbers, names, expiration dates, and CVV are stolen from Google Chrome profiles and exfiltrated to various command and control (C2) servers following successful exploitation of the vulnerability.


  1. Do not save passwords or card information on web browsers!
  2. Be wary of emails from unknown sources.
  3. Do not download unsolicited attachments.
  4. Always ensure Operating System and software are patched and up-to-date.



Related Articles