The world is currently wrapped up in the middle of a potential health crisis thanks to the coronavirus spreading through Wuhan, China. Where some see crisis, others see opportunity. There has been an increase in the number of malicious emails that use coronavirus as a theme, according to Kaspersky and IBM X-Force.
Opportunism Meets Social Engineering
IBM X-Force says that the emails include notices about infection and how to prevent it. In an almost ironic twist, the physical virus of the coronavirus is being used to spread a digital virus in the Emotet trojan malware.
The researchers say that most of these emails are written in Japanese. This would suggest that the people behind them are targeted specific geographic regions that are more likely to be hit by the coronavirus, given their geographical proximity to China. The subjects of the emails include the current date and the Japanese word for “notification” to make them more urgent to readers.
IBM X-Force issued a writeup about the malware, saying that the emails seem to have been sent by a disability welfare service provider in Japan. “The text briefly states that there have been reports of coronavirus patients in the Gifu prefecture in Japan and urges the reader to view the attached document.”
There are some versions of the emails that warn about infections within different Japanese prefectures such as Osaka. The emails include a footer with a legitimate mailing address, phone number, and fax number for the relevant public health authority, which adds another air of authenticity.
“Previously, Japanese Emotet emails have been focused on corporate style payment notifications and invoices, following a similar strategy as emails targeting European victims,” the writeup continued. “This new approach to delivering Emotet may be significantly more successful, due to the wide impact of the coronavirus and the fear of infection surrounding it.”
If the attached document is opened in a protected view, then it will request that the user “enable content”. Much like with other Emotet attacks, the document contains macros that run an obfuscated VBA macro script that installs Emotet downloaders on the computer without the user knowing.
“The extracted macros are using the same obfuscation technique as other Emotet emails observed in the past few weeks,” IBM X-Force analysts said.
Emotet isn’t the only malware being spread on the back of the coronavirus, but it is one of the most prominent right now. It’s also hardly the first time a malware campaign has been built around current events. Malware campaigns have been built around the World Cup and, most recently, Greta Thunberg.
Leave a Reply
Thank you for your response.
Please verify that you are not a robot.