Threat actors behind the Emotet malware used the novel coronavirus (2019-nCoV) scare as a hook for their spam email campaign against targets in Japan.
2019-nCoV, which is believed to have originated in Wuhan, China, in the past month, has caused hundreds of deaths and thousands of confirmed cases in China alone. The virus has already spread to neighboring countries and confirmed cases have been reported in farther places such as Germany, Canada, and the U.S., causing the World Health Organization to declare a global health emergency. The official advisory of the Japanese Ministry of Health, Labour and Welfare on the outbreak can be found here (in Japanese).
IBM X-Force reported that the coronavirus spam emails were disguised as official notifications sent by a disability welfare provider and public health centers. The email content warns recipients about the rapid spread of the virus, and instructs them to download an attached notice that allegedly contains preventive measures.
As in several previous campaigns, the coronavirus spam emails had Word document attachments. The text in the document contained instructions to click on the Enable Content button to be able to view the document. Clicking on the button installs the Emotet payload using a PowerShell command.
The spam emails include a footer with legitimate details such as mailing address and contact numbers in an attempt to appear legitimate.
The campaign follows in the footsteps of previous Emotet spam email campaigns, which took advantage of well-known personalities and occasions such as Christmas to blast the emails.
Devices infected with Emotet malware can deploy ransomware. The malware can also drop other types of malware that steal user credentials, browser history, and sensitive documents. The harvested data can then be used to send spam to other email accounts.
The Emotet malware persists as a threat as cybercriminals continue to increase not just the level of harm it brings, but also the sophistication of the social engineering techniques used to propagate it via email. Below are the recommendations for protecting the enterprise’s systems against Emotet:
Carefully inspect emails, especially those that include links or attachments. If they appear to come from a reputable institution, verify the contact information by checking details listed on its official website.