Emotet operators are looking to pray on people’s fears to
spread malware through malicious emails. In this case, they are using the real
health crisis of the coronavirus outbreak in China.
Using people’s fears to spread malware is not new, and
it’s good practice always to be wary of emails that link directly to important current
events. And since the Wuhan coronavirus (2019-nCoV) is dominating the 24-hour
news cycle, it’s not surprising that cybercriminals are looking to piggyback on
it to spread malware.
Security researchers have discovered an active email
campaign delivering compromised Word attachments, which supposedly carry
information about the outbreak and various measures people can employ to
Emotet started its life as a banking Trojan, but its
capabilities were enhanced over time. Now, it works as a loader as well and can
deploy other payloads as well or turn infected systems into a botnet component.
Such botnet networks can be rented out to other cybercriminals, in ransomware
or DDoS attacks, for example.
This new wave of infected emails seems to target
Japanese-speakers, at least for now. “The subject of the emails, as well
as the document filenames are similar, but not identical,” said
the security researchers. “They are composed of different representations
of the current date and the Japanese word for ‘notification’, in order to
Opening the Word document in an environment that has
macros enabled triggers a PowerShell script that fetches an Emotet downloader.
Even with macros disabled, users would still receive a notification to enable
macros to see the document correctly.
Users should always be cautious when opening attachments
from unknown sources and make sure their security solution is up to date.
Cybercriminals exploit worldwide events, and that in itself should be enough
information to screen incoming emails with care.