Researchers with IBM X-Force and Kaspersky have discovered that cybercriminals are spreading a popular malware strain through malicious emails and links related to the coronavirus outbreak that started in Wuhan, China in January.
Hackers are using global fears about the spread of the virus to target people in Japan with the Emotet trojan, a popular strain of malware that has been devastatingly effective at attacking governments and financial institutions. The email discovered by IBM found that cybercriminals were sending emails under the guise of being part of a disability welfare service provider in Japan.
SEE: Coronavirus having major effect on tech industry beyond supply chain delays (free PDF) (TechRepublic)
The emails falsely claims that there are reports of coronavirus patients in the Gifu, Tottori and Osaka prefectures in Japan, urging victims to read an attached Microsoft Word document which contains the Emotet trojan. The messages are particularly dangerous because they were made to look like official government emails, equipped with legitimate addresses, phone numbers and emails.
“The practice of leveraging worldwide events by basing malicious emails on current important topics has become common among cyber criminals. Such a strategy is able to trick more victims into clicking malicious links or opening malicious files, ultimately increasing the effectiveness of a malware campaign,” IBM researchers wrote in a report on Wednesday.
“What makes these attacks rather special, is the fact that they deliver the Emotet trojan, which has shown increased activity recently. It achieves this by urging its victims into opening an attached Word document, described as a supposed notice regarding infection prevention measures,” the report added.
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic Premium)
Preying on people’s fear of the coronavirus
Threat researchers with Kaspersky identified other attempts to spread Emotet using the coronavirus scare as a way to get people to open emails or files and share them. Cybercriminals are attaching .pdf, .mp4, and .docx files to emails that purport to have information on how people can protect themselves from the virus, updates on its spread and even virus detection procedures.
“The coronavirus, which is being widely discussed as a major news story, has already been used as bait by cybercriminals,” said Anton Ivanov, Kaspersky malware analyst. “So far we have seen only 10 unique files, but as this sort of activity often happens with popular media topics, we expect that this tendency may grow. As people continue to be worried for their health, we may see more and more malware hidden inside fake documents about the coronavirus being spread.”
IBM researchers note that this kind of attack will be significantly more successful because of the very real fears many people, especially those in Asia, have about the spread of the coronavirus, which was declared a public health emergency on Thursday. Previous attempts to spread the Emotet malware in Japan focused primarily on the kind of corporate-style payment notifications and invoices that worked well in Europe.
Additional attempts to use the coronavirus to spread malware
A Japanese researcher on Twitter has been posting updates about other attempts by hackers to use the coronavirus to spread malware. Irfan Asrar, head of Cyber Threat Intelligence and Operations at Blue Hexagon, said the latest campaign appears to have hijacked the messaging from an official alert about coronavirus in Osaka and will likely target healthcare organizations as well as other corporations.
Dozens of security researchers said hackers using Emotet routinely use global news events to spread the malware, which can extract valuable data from people or upload malicious programs to your device.
Kowsik Guruswamy, CTO of Menlo Security, said this new campaign shows why existing security technologies may never be able to eliminate phishing attacks with malicious attachments. Attackers are often leveraging a life or death situation to trick people into downloading malware and no AI or threat intelligence-based blacklist can ever stop this kind of attack.
“We should expect to see more spikes in malware campaigns that coincide with natural disasters or other critical events that grab national or International headlines. Attackers have picked up on the fact that people want to stay informed during a crisis. Especially when it’s a matter of life and death, people will let their guard down a little and not always be as careful. So it’s a natural angle to adapt to get people’s attention and prompt them to take some action that they may not normally do when there isn’t a crisis,” Guruswamy said.
Businesses need to rethink security measures
Companies, he added, need to rethink their security, train employees about potential attacks, update their policies or filters when a campaign is identified and think about new technologies or methods that do not rely on rear view security.
Javvad Malik, security awareness advocate with KnowBe4, said attackers tried to spread Emotet malware this week by exploiting the unfortunate helicopter crash which claimed the lives of Kobe Bryant, his daughter and several others.
To protect against these kinds of attacks, enterprises need to stop Emotet from moving laterally across the network, according to Peter Smith, CEO of Edgewise Networks.
“If Emotet is still a threat six years after discovery, clearly something in malware detection and perimeter defenses aren’t doing the job. The best defense is to microsegment the network to enable zero trust so that only approved, verified communications are allowed, which would prevent Emotet from doing so much damage,” Smith noted.
The Super Bowl and Greta Thunberg also used as malware
Cybercriminals even use positive events, like the Super Bowl or Greta Thunberg’s climate change movement, to spread malware to unsuspecting victims. Senior Director Threat Research and Detection at Proofpoint Sherrod DeGrippo said cybercriminals know much of the world is interested in any information they can get on the coronavirus and are using the urgency of the situation to lure people into traps.
“Emotet is one of the world’s most disruptive threats—and they use extremely topical lures, like the coronavirus and Greta Thunberg, in hundreds of thousands to millions of socially engineered emails daily,” DeGrippo said.
“Emotet’s infrastructure is also very test and metric-driven and is built to scale depending on what’s working. That said, their campaigns tend to be broad and more targeted to particular geographies and languages rather than verticals. It’s important security teams continue to secure their email channel and educate users regarding the increased risks associated with email attachments risks as Emotet is capable of downloading a range of additional malware, spreading across networks and using infected devices to launch further attacks.”