Emotet Attacks Spread Alongside Fears of Coronavirus

by Yaniv Hoffman on February 6, 2020

The rise of the coronavirus globally, but mainly in China, has resulted in the World Health Organization calling on all countries to take urgent measures to contain the disease. As a current Hong Kong resident, and one who is fully engaged with organizations in the APAC region, I can confirm that the fear is palpable.

And now, threat actors are leveraging this fear to issue malicious malware campaigns for personal gain.

The Threat

In the last few days, researchers from IBM X-Force have discovered emails that contain malicious Microsoft Word attachments and are primarily targeting Japan. However, cyber security professionals are not ruling out the possibility of such attacks spreading to broader geographies as the coronavirus likewise spreads.

In case of Japan, many of these emails are crafted to appear as though they are coming from local disability welfare service providers. The message states that there have been reports of coronavirus patients in the area (e.g. Gifu and Osaka prefectures), making the readers to more likely click on the attachment for more information and guidance.

Sponsorships Available

Sender: XXXXXXX Public Health Center (Representative: xxxxx)

Subject: Public Health Center welfare Jan 29 2020

To whom it may concern,

Regarding Coronavirus-infected pneumonia, victims have been reported from Wuhan city in China.

Also domestically in Japan, some victims have been found in Gifu city.

Please find the attached notification and take appropriate action to protect yourselves.

Once the attachment is opened, a VBA macro script opens a powershell and installs an Emotet downloader in the background.

Once the malware is downloaded, Emotet uses the infected system to send out additional phishing emails and spam in an effort to grow the Botnet and later on can be leveraged to scams, ransomware and personal/valuable information theft.

What is Emotet?

Emotet started mainly as financial Trojan malware, whose main goal was to install additional code on endpoints it infected, as well for ransomware purposes, as it can scrape destination’s computers. Thus, it’s a great vehicle for bot infections.

Per a recent alert issued by the Cybersecurity and Infrastructure Security Agency (CISA), there is “a recent increase in targeted Emotet malware attacks. Emotet is a sophisticated Trojan that commonly functions as a downloader or dropper of other malware. Emotet primarily spreads via malicious email attachments and attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. If successful, an attacker could use an Emotet infection to obtain sensitive information. Such an attack could result in proprietary information and financial loss as well as disruption to operations and harm to reputation.”

A Zero Trust Approach

The typical recommended approach is to always exercise caution when it comes to suspected messages and emails, periodically install official security updates, install Antivirus, and use secure passwords. Yet, organizations can’t rely solely on human behavior to protect their networks and data; they must practice a ZERO TRUST approach.

Zero trust is a comprehensive approach to securing all access across your networks, applications, and environment. This approach helps secure access from users, end-user devices, APIs, IoT devices, microservices, containers, and more. It protects your workforce, workloads, and workplace:

Workforce: Protects users and their devices against stolen credentials, phishing, and other identity-based attacks
Workload: Manages multi-cloud environments and contains lateral movement across the network
Workplace: Gains insights into users and devices, identifies threats and maintains control over all connections in your network