The novel coronavirus that originated in the province of Wuhan in China has now spread to other countries, with Japan and Thailand the worst affected so far with 14 cases. People are naturally worried about infection and with good reason. More than 200 people are known to have died so far.
In Japan, people have been receiving emails warning of new infections in their prefectures. The emails have file attachments that appear to be reports about the new cases that contain important information. The emails appear to have been sent by a disability welfare agency, and the emails include a footer with the agency’s correct contact information. However, all is not as it seems. While the document may be thought to contain important information about how people can avoid being infected, opening the attached document and enabling the content guarantees infection with something else that is particularly nasty, can spread quickly, and can cause considerable pain and suffering. The Emotet Trojan.
The Emotet gang, also known as TA542, have been using the coronavirus as a lure in targeted attacks in Japan, taking advantage of concern about the coronavirus. This is a marked departure from the style of emails normally used by TA542 to deliver the Emotet Trojan in Japan. The emails are usually more business-focused and the malicious file attachments masquerade as invoices and payment notifications. This new tactic could prove effective, especially considering how worried people are about the coronavirus. The campaign was detected by IBM X-Force researchers. Several emails have been detected that target different Japanese prefectures. The language in each differs slightly but they all have a similar coronavirus-themed lure.
As with other Emotet campaigns, if the Word document is opened, the user will be presented with an Office 365 warning informing them they need to enable content to view the document. Enabling content will allow a malicious VBA macro to run, which will launch PowerShell which will install an Emotet downloader.
TA542 may expand the campaign and run campaigns in different languages in other countries, “We expect to see more malicious email traffic based on the coronavirus in the future, as the infection spreads,” explained IBM X-Force in a recent blog post warning about the new campaign.
Several other malspam campaign have been detected by Kaspersky Lab over the past few days that use a coronavirus theme to get users to open malicious documents. The document file attachments used in those campaigns appear to be pdfs, mp4 and docx files. The emails claim the files provide information on how to protect against infection.
If you receive an unsolicited email that appears to contain information about the coronavirus it could well be a scam. To avoid falling victim to these phishing and malware attacks, do not open file attachments or click hyperlinks in unsolicited messages and obtain information from trusted sources.