Exploiting a viral topic for malicious purposes is something quite often seen is spam campaigns. This is what is happening now with the new strain of the coronavirus.
A new spam, botnet-driven campaign is spreading malicious files masqueraded as documents with video instructions on how to protect against the coronavirus. Instead of learning anything useful, the potential victim would get a computer infection ranging from Trojans to worms, says telemetry data from IBM X-Force and Kaspersky.
The Coronavirus theme is spreading the Emotet malware
As pointed out by security researchers, the irony is that one virus is being used as a pretext to deliver another virus. In this spam campaign, threat actors are distributing the Emotet malware.
Most of the analyzed emails were written in Japanese. This could mean that the attackers are targeting specific geographic locations that may be more impacted by the coronavirus outbreak. As for the subject lines of these emails, they contain the Japanese word for “notification”. Creating a sense of urgency is one of the oldest tricks in malicious spam.
Previously, Japanese Emotet emails have been focused on corporate style payment notifications and invoices, following a similar strategy as emails targeting European victims. This new approach to delivering Emotet may be significantly more successful, due to the wide impact of the coronavirus and the fear of infection surrounding it, says IBM F-Force.
Aside from using the coronavirus as a lure, the campaign doesn’t stand out with anything particular. Typically, upon opening the attached document which is presented as a .PDF, .MP4, or .DOC file, the user is prompted to enable the content. If the document is opened with macros enabled, an obfuscated VBA macro script will run Powershell to install an Emotet downloader in the background.
“The extracted macros are using the same obfuscation technique as other Emotet emails observed in the past few weeks,” says IBM X-Force.
In December 2019, Emotet operators were actively spreading phishing emails with the intention of scamming the recipients into believing that they are receiving Christmas party menus. The emails included subject lines such as “Christmas” or “Christmas Party” as a lure.