Cybercriminals are exploiting fears over the outbreak of Coronavirus in China, sending out emails with malicious Word attachments purportedly providing updates on preventing infection but in actuality delivering the Emotet trojan.
“Patients were reported about the new type of coronavirus-related pneumonia, mainly in Takeshi, China. Patients have been reported in Gifu Prefecture in Japan,Therefore, please =check the attached notice,Thank you for your infection prevention measures,” one email read.
“The subject of the emails, as well as the document filenames are similar, but not identical,” according to an IBM XForce Threat Intelligence report detailing a “recent wave” of exploitations associated with the Coronavirus. “They are composed of different representations of the current date and the Japanese word for ‘notification,’ in order to suggest urgency.”
The researchers were able to retrace the infection process after running the attached document – an Office 365 message telling the victim to enable the content to sidestep protected view – through a sandbox.
If the attachment in one of the samples “has been opened with macros enabled, an obfuscated VBA macro script opens powershell and installs an Emotet downloader in the background,” typical behavior for the bulk of Emotet documents, they wrote.
“In this case, the file hashes of the malicious attachments are mostly different; nevertheless, the extracted macros are using the same obfuscation technique as other Emotet emails observed in the past few weeks,” the report said.
Explaining that Japanese Emotet emails previously “have been focused on corporate style payment notifications and invoices, following a similar strategy as emails targeting European victims,” the report said, the new delivery approach “may be significantly more successful, due to the wide impact of the coronavirus and the fear of infection surrounding it.”
"After any major global event, disaster, or catastrophe, we see criminals piggyback onto the news cycle to try and get unsuspecting victims to click on links or download files in order to spread their malware,” said Javvad Malik, security awareness advocate at KnowBe4, who noted that last week miscreants sent out malware “exploiting the unfortunate helicopter crash which claimed the lives of Kobe Bryant, his daughter and several others.”
The advice to users is always the same, he said, “remain careful with anything relating to major news stories, emails, attachments, and social media, texts on your phone, anything! There will be a number of scams related to this, so please remember to Think Before You Click!"
