A malspam campaign is actively distributing Emotet payloads via emails that warn the targets of coronavirus infection reports in various prefectures from Japan, including Gifu, Osaka, and Tottori.
To scare the potential victims into opening malicious attachments, the spam emails — camouflaged as official notifications from disability welfare service provider and public health centers — promise to provide more details on preventative measures against coronavirus infections within the attachments.
The Emotet gang is known for taking advantage of trending currents events and approaching holidays by sending out targeted custom templates, such as invites to a Greta Thunberg Demonstration or to Christmas and Halloween parties.
They are doing it again in the case of this campaign, exploiting an ongoing global scale health crisis triggered by infections with the new 2019 novel coronavirus (2019-nCOV) strain that causes respiratory illness for their own malicious purposes.
Japanese coronavirus lures
According to reports from the infosec community, this campaign is using stolen emails from previously compromised accounts as a template to attempt and infect recipients with Emotet.
However, others point out that "Japanese in the subject and file names is strange" and that this "looks more sophisticated than other Emotet distribution attempts."
"The subject of the emails, as well as the document filenames are similar, but not identical," a report from IBM X-Force Threat Intelligence explains.
"They are composed of different representations of the current date and the Japanese word for 'notification', in order to suggest urgency."
One of the spam emails sent as part of this ongoing campaign is alerting of infections being reported in the Osaka prefecture:
Jurisdiction tsusho / facility related disability welfare service provider
We become indebted to.
Patients were reported about the new type of coronavirus-related pneumonia, mainly in Takeshi, China.
In Japan, patients are being reported in Osaka Prefecture,
Along with the anticipated increase in the number of visitors to Japan, a separate notice
has been issued.
Therefore, please check the attached notice,
Some of the email samples spotted by researchers while monitoring this campaign also come with a footer containing the address of the institution that supposedly sent the coronavirus infection notification for added authenticity.
"This new approach to delivering Emotet may be significantly more successful, due to the wide impact of the coronavirus and the fear of infection surrounding it," the IBM X-Force Threat Intelligence report says.
"We expect to see more malicious email traffic based on the coronavirus in the future, as the infection spreads. This will probably include other languages too, depending on the impact the coronavirus outbreak has on the native speakers."
The Emotet infection
The end goal of such spam emails is to trick their recipient into opening an attached Word document designed to attempt to download and install the Emotet malware.
If the user falls for Emotet's tricks and opens the attachment, they will see the standard Emotet Office 365 document template that asks them to "Enable Content" to properly view the full document.
After macros will be enabled, the Emotet payload will be installed on the victim's device using a PowerShell command.
The infected computer will then be used to deliver malicious spam messages to other targets and to drop other malware strains onto the device such as the Trickbot info stealer Trojan known for also delivering ransomware.
This secondary payload will allow the attackers to harvest user credentials, browser history, and sensitive documents that will be packed and sent to attacker-controlled storage servers.
Unexpected attachments are bad news
You need to be wary of any strange emails that land in your inbox, especially those that come with Word document attachments because of the severity of Emotet infection.
Instead of opening suspicious attachments, you should either reach out to the sender for confirmation that are the ones who sent the email or share it with your security staff first so it can be examined within a controlled environment.
A week ago, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on increased targeted Emotet malware attacks and advised users and admins to review the Emotet Malware alert for detailed guidance.
Among the measures that can be taken to mitigate Emotet attacks, CISA recommends to:
• Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
• Implement Group Policy Object and firewall rules.
• Implement an antivirus program and a formalized patch management process.
• Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
• Adhere to the principle of least privilege.
• Implement a Domain-Based Message Authentication, Reporting & Conformance (DMARC) validation system.
• Segment and segregate networks and functions.
• Limit unnecessary lateral communications.
Emotet ranked first in a 'Top 10 most prevalent threats' shared by interactive malware analysis platform Any.Run during late December, with triple the number of uploads when compared to all other malware families in this top.
If you want to learn more about Emotet and the latest active campaigns, you should follow the Cryptolaemus group on Twitter, a collective of security researchers who share frequent updates on this malware's activity.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now