As the coronavirus originating in the Wuhan province of China continues to stir widespread fears about a global public health crisis, some see an opportunity in the outbreak. A recent spate of malicious, botnet-driven emails is using the coronavirus as a theme, according to telemetry from IBM X-Force and Kaspersky.
In the campaign seen by IBM X-Force, the emails purport to have attached notices regarding infection-prevention measures for the disease. And rather ironically, one virus is being used as a pretext to distribute another – specifically, the notorious Emotet trojan.
Most of the emails have been seen written in Japanese, researchers said – suggesting that the operators are intentionally targeting geographic regions that may be more impacted by the outbreak given their locations in Asia. The subject of the emails contains the current date and the Japanese word for “notification,” in order to up the ante on giving a sense of urgency.
“The emails appear to be sent by a disability welfare service provider in Japan,” according to a writeup from IBM X-Force, issued this week. “The text briefly states that there have been reports of coronavirus patients in the Gifu prefecture in Japan and urges the reader to view the attached document.”
Other versions have the same language, but warns of infection reports within different Japanese prefectures, including Osaka and Tottori. The emails also have a footer with a legitimate mailing address, phone and fax number for the relevant public health authority for the targeted prefectures, to lend an air of authenticity.
“Previously, Japanese Emotet emails have been focused on corporate style payment notifications and invoices, following a similar strategy as emails targeting European victims,” said the firm. “This new approach to delivering Emotet may be significantly more successful, due to the wide impact of the coronavirus and the fear of infection surrounding it.”
Aside from the lure used, the campaign is otherwise a fairly run-of-the-mill Emotet effort, researchers said.
The attached document, when opened, surfaces an Office 365 message that asks the user to “enable content” if the document has been opened in protected view, according to IBM X-Force’s analysis. As with most Emotet email-borne attacks, if the attachment is opened with macros enabled, an obfuscated VBA macro script opens Powershell and installs an Emotet downloader in the background.
“The extracted macros are using the same obfuscation technique as other Emotet emails observed in the past few weeks,” IBM X-Force analysts said.
It’s not just Emotet that is looking to sow infections on the back of the growing threat. Kaspersky has seen several spam campaigns emerging in the last weeks that contain a range of coronavirus-themed attachments.
“The discovered malicious files were masked under the guise of .PDF, .MP4, .DOC files about the coronavirus,” researchers said in an analysis released Thursday and shared with Threatpost. “The names of files imply that they contain video instructions on how to protect yourself from the virus, updates on the threat and even virus-detection procedures, which is not actually the case.”
The files contain a bevy of threats, including trojans and worms that are “capable of destroying, blocking, modifying or copying data, and interfering with the operation of computers or networks,” according to the firm. So far, 10 different documents have been seen circulating.
With the number of coronavirus cases unfortunately surpassing the SARS outbreak of 2003 – 8,200 confirmed as of this writing – the disease will likely be an enduring lure for some time to come, researchers said.
“As people continue to be worried for their health, we may see more and more malware hidden inside fake documents about the coronavirus being spread,” wrote Anton Ivanov, Kaspersky malware analyst, in the report.
IBM X-Force too warned that Emotet operators will probably expand their targeting beyond Japan soon.
“We expect to see more malicious email traffic based on the coronavirus in the future, as the infection spreads,” according to the posting. “This will probably include other languages too, depending on the impact the coronavirus outbreak has on the native speakers. In these first samples, Japanese victims were probably targeted due to their proximity to China. Unfortunately, it is quite common for threat actors to exploit basic human emotions such as fear – especially if a global event has already caused terror and panic.”
Cybercriminals attempting to capitalize on current events or zeitgeist is nothing new, as seen in the World Cup campaigns that crop up every four years. Emotet itself recently turned up in a timely spam campaign in December that used climate-change activist and Time Person of the Year Greta Thunberg as a lure. The copy within the email included a few different themes, including Thunberg’s Time nomination, the Christmas holidays, and general environmental awareness and activism.