The World Health Organization (WHO.) has declared the outbreak of 2019 Novel Coronavirus (2019-nCoV) a public health emergency of international concern (PHEIC). However, hackers and threat actors are taking huge advantage of the fear and panic the virus has caused. An Emotet malware spam (malspam) campaign, disguised as official notifications related to coronavirus from disability welfare service providers and public health centers, has been observed targeting audiences in Japan including the prefectures of Osaka, Gifu and Totori.
Experts on Emotet Malspam
Analysts from IBM X-Force and Kaspersky along with infosec community experts found that Emotet operators used previously compromised account templates to target potential victims for the Emotet malspam campaign.
According to IBM, the attackers seem to be geo-targeting the email content and language to inflict fear among audiences in these areas, thus, making them more likely to click on the malicious attachment. One of the malspam emails said that the coronavirus had been detected in the Gifu region of Japan, while another mentions Osaka. A few of these emails also have a footer that mentions a legit address, as well as phone and fax numbers of disability welfare service providers and public health centers in the surrounding areas.
How the Japanese Emotet Malspam Works
Each of these malspam emails contains a warning note and call to action for downloading a malicious Word doc attachment (with Emotet malspam), which is said to contain precautionary health measures and latest updates related to coronavirus. On opening the attachment and enabling macros in Office 365, an obfuscated VBA macro script begins running in the background, which further installs a Powershell script and downloads the Emotet malware. The Emotet script also downloads a few other malicious payloads to extract additional data from the targeted system.
Emotet Malspam Campaign History
Earlier, researchers spotted an Emotet malspam campaign leveraging environmental activist Greta Thunberg’s popularity to infect computers in Europe and Asia. Using Thunberg’s admiration among students, the trojan campaign used the climate activist’s name to target domains with .com and .edu extensions. Attackers also geotargeted Europe and Asian countries, followed by Australia and the U.S.
According to researchers at Proofpoint and ExecuteMalware, these emails looked just like another invite from Thunberg for a climate change summit or demonstration with email subjects carrying enticing text like “Demonstration 2019” or “I invite you”. The emails also encouraged readers to forward and spread the message to their family and friends.