Emotet operators are looking to pray on people’s fears to spread malware through malicious emails. In this case, they are using the real health crisis of the coronavirus outbreak in China.
Using people’s fears to spread malware is not new, and it’s good practice always to be wary of emails that link directly to important current events. And since the Wuhan coronavirus (2019-nCoV) is dominating the 24-hour news cycle, it’s not surprising that cybercriminals are looking to piggyback on it to spread malware.
Security researchers have discovered an active email campaign delivering compromised Word attachments, which supposedly carry information about the outbreak and various measures people can employ to prevent it.
Emotet started its life as a banking Trojan, but its capabilities were enhanced over time. Now, it works as a loader as well and can deploy other payloads as well or turn infected systems into a botnet component. Such botnet networks can be rented out to other cybercriminals, in ransomware or DDoS attacks, for example.
This new wave of infected emails seems to target Japanese-speakers, at least for now. “The subject of the emails, as well as the document filenames are similar, but not identical,” said the security researchers. “They are composed of different representations of the current date and the Japanese word for ‘notification’, in order to suggest urgency.”
Opening the Word document in an environment that has macros enabled triggers a PowerShell script that fetches an Emotet downloader. Even with macros disabled, users would still receive a notification to enable macros to see the document correctly.
Users should always be cautious when opening attachments from unknown sources and make sure their security solution is up to date. Cybercriminals exploit worldwide events, and that in itself should be enough information to screen incoming emails with care.