Coronavirus-related malspam targets Japanese users with Emotet

Spam emails were received all over Japan, including Gifu, Osaka, and Tottori cities

Fake coronavirus infection notes are pushing Emotet in Japan

Malware developers now mimic representatives from healthcare companies by using the tragic news about the widespread coronavirus[1] infection to distribute Emotet banking trojan.[2] People who live in Japan’s cities such as Gifu, Osaka, and Tottori have recently been receiving suspicious emails as potential targets of the coronavirus disease.

Malicious actors behind malspam are abusing the highly publicized disease in order to make users open the attachment within the email. The body text of the email claims that users could find out more information about the disease, as well as effective ways of avoiding the infection. However, this is false as opening the clipped file leads to the execution of the well-known banking trojan Emotet, which is often spread via various malspam campaigns since its release in 2014.

The malicious payload is dropped through Word documents

Without a doubt, many people are currently concerned about a possible outbreak, and the attackers behind Emotet are ready to abuse this fact – sending thousands of emails to potential targets has become a routine practice.

When the fake message is opened, a Word document presents the “Enable Content” option, which, once accepted, would allegedly provide access to the contents of the document. Enabling the macros allows the document to launch PowerShell commands, which would consequently download and install Emotet Trojan. Malware can then proceed to steal banking and other information from victims, as well as propagate other malicious software, such as infostealer Trickbot.[3] The latter is known to install ransomware on users’ devices – malware that can result in complete personal file loss.

Furthermore, the malware can view all important files and browsing details that are saved on the compromised device. Later on, all the collected information is transferred to a remote server controlled by cybercriminals.

Cybercriminals employ stolen email messages to push the malware

A cybersecurity researcher announced on Twitter[4] that this malicious campaign has been employing stolen messages for the distribution of Emotet. Here is an example of a spam message falsely warning users in Takeshi territory:

Jurisdiction tsusho / facility related disability welfare service provider
We become indebted to.
Patients were reported about the new type of coronavirus-related pneumonia, mainly in Takeshi, China.
Patients have been reported in Tottori Prefecture in Japan,
Therefore, please check the attached notice,
Thank you for your infection prevention measures.
In parallel, we are preparing to publish on the Wamnet Kyoto page.

For providing a look of legitimacy and given the notification an “official feel”, the hackers include the name of the healthcare center at the end of the message together with the postal address, telephone number, and fax number. Furthermore, IBM X-Force Exchange researchers reveal[5] that the email subjects and file names look very similar but are not the same.

Precautionary steps should be taken to avoid malicious infections

Malicious email spam[6] campaigns are very popular for malware delivery and have been used by individual hackers and hacking groups. The most important thing to do to protect yourself from malware intrusion is to be able to recognize a phishing email. If you were not expecting to receive any important message from UPS or another well-known service, and are not sure whether it is real, contacting the company that supposedly sent the email will confirm its (il)legitimacy.

However, if the email message comes from an unknown sender, you should delete it immediately. The same goes if the content of the email includes grammar and style mistakes as reliable companies make sure that their delivered messages are flawless.

Continuously, you should always pay attention to the clipped attachments. Most of the time, malicious actors deliver malware through Word documents and Excel sheets, so these are the files that you need to be aware of the most. Do not open any of them without performing an antivirus scan first.