Coronavirus campaigns bring Emotet

Coronavirus campaigns strike Japan. A rash of malicious emails, botnet-driven, is using coronavirus as a theme. The announcement came from IBM X-Force and Kaspersky. As the disease spreads globally, attackers see it as an opportunity and malware infections become usual.

The emails pretend to have attached notices regarding prevention measures for the disease. But the real coronavirus is just a pretext to distribute a trojan – the well-known Emotet.

The attackers used Japanese in most of the emails. So, the attackers intentionally target exposed geographic regions, due to their locations. The subject of the emails contains the current date and the Japanese word for “notification”. Thus, they try to be more credible.

The attackers pretend to send the emails as a disability welfare service provider in Japan. “The text briefly states that there have been reports of coronavirus patients in the Gifu prefecture in Japan and urges the reader to view the attached document.” according to IBM X-Force. Other versions warn of infection reports within different Japanese prefectures, such as Osaka and Tottori. In the footer of the messages, users can see a legitimate mailing address, phone and fax number for the relevant public health authority for the targeted prefectures. Thus, the attackers lend an air of authenticity.

“Previously, Japanese Emotet emails have been focused on corporate style payment notifications and invoices, following a similar strategy as emails targeting European victims,” announced the company. “This new approach to delivering Emotet may be significantly more successful, due to the wide impact of the coronavirus and the fear of infection surrounding it.”

The old tricks still work

Except from the lure used, the coronavirus campaigns represent an ordinary Emotet effort. When opened in protected view, the attached document surfaces an Office 365 message that asks the user to “enable content”. Just like in most Emotet email-borne attacks, if the attachment is opened with macros enabled, a macro script opens Powershell and installs the Emotet downloader.

“The extracted macros are using the same obfuscation technique as other Emotet emails observed in the past few weeks,” IBM X-Force analysts observed.

Attackers exploit fear

But Kaspersky has also seen several spam coronavirus campaigns emerging in the last weeks that contain a range of attachments.

Researchers said that the malicious files usually disguise as .PDF, .MP4, .DOC files about the coronavirus. “The names of files imply that they contain video instructions on how to protect yourself from the virus.” Also they pretend to offer updates on the threat and even virus-detection procedures.

The files contain a series of threats. These include trojans and worms. They are “capable of destroying, blocking, modifying or copying data, and interfering with the operation of computers or networks.” By now, analysts discovered 10 different documents circulating.

But people worry about their health. So, Anton Ivanov, Kaspersky malware analyst, considers that we should expect worse. “We may see more and more malware hidden inside fake documents about the coronavirus being spread.”

Also, IBM X-Force warned that Emotet operators would probably expand their targeting beyond Japan soon. “This will probably include other languages too, depending on the impact the coronavirus outbreak has on the native speakers. Unfortunately, it is quite common for threat actors to exploit basic human emotions such as fear – especially if a global event has already caused terror and panic,” analysts mentioned.

Cybercriminals usually try to capitalize on current events. For instance, in December, Emotet was involved in a spam campaign that used Greta Thunberg as a lure.