Very recently, the Coronavirus that apparently originated from the Wuhan province in China has created pandemonium across the world creating an atmosphere of a health crisis for the global populace. As the news of the deadly Coronavirus creates waves of panic across the globe, cyberattackers are lurking into this phenomenon as an opportunity, less of a catastrophe. Multiple instances of malicious, automated emails have been reported in several continents that are getting spooled with ‘Coronavirus’ as a theme.
The content of these emails is smartly written, consisting of an attachment that claims to provide information on prevention & precaution of the virus. When recipients click on this attachment to view the content, what happens next is an irony within itself —one virus used to propagate another. What’s worse is attackers are distributing the infamous Emotet Trojan through these malicious attachments.
Currently, the major reported instances are seen in regions closer to the Coronavirus’ point of origination. Hence, emails written primarily in Japanese and other Asian languages are seen circulated with the attachment heading composed in the regional language, on purpose. To make these emails sound ‘very urgent,’ attackers are ensuring that they add current dates to these emails.
To give a sense of the situation, emails are being sent from fake email IDs of local health organizations that pretend to alarm about the virus’ outbreak in that region. For example, emails can be sent from fake email IDs of health institutions in the Philippines, the content of which will be on the lines of, “ the Coronavirus has impacted Manila with the first official patient diagnosed in the Philippine General Hospital.” Hackers are even forging the official mailing addresses, phone & fax numbers of these institutions to make the communication sound very genuine and legitimate.
Previously, malicious emails that contained Emotet were propagated to lure a corporate target audience, in Asia as well as in Europe. This style though, analysts say, can be far more successful as bait considering the deep impact of the implications of Coronavirus.
Functionality Attached in an Office 365 email, it asks the users to enable content if the document is being opened in a protected view. As with most Emotet email attacks, if the attachment is opened with ‘macros enabled’ it automatically infuses an obfuscated VBA macro script that further opens Powershell and downloads and installs an Emotet downloader in the background. The extracted macros then use the same predictable obfuscation techniques. Other than Emotet, analysts also observe a swarm of Coronavirus themed spam campaigns. However, this modus operandi is malicious and fake! These email attachments carry a plethora of cyber threats riding on Trojan & Worm malware that are capable of annihilating sensitive data and tamper with computers and networks meant for business and personal use. Ten documents have been seen to be circulating so far.
Obviously, hackers will try to maximize this opportunity and accelerate the spread of malware through these fake documents. Hacker proximity is predicted to be directly proportional with the regions that ‘Coronavirus’ penetrates. We will see more of such mal-campaigns targeted towards several other demographic regions with emails written in the respective native languages.