Cybercriminals are exploiting fears over the outbreak
of Coronavirus in China, sending out emails with malicious Word attachments purportedly
providing updates on preventing infection but in actuality delivering the
“Patients were reported about the new type of coronavirus-related pneumonia, mainly in Takeshi, China. Patients have been reported in Gifu Prefecture in Japan,Therefore, please =check the attached notice,Thank you for your infection prevention measures,” one email read.
“The subject of the emails, as well as the
document filenames are similar, but not identical,” according to an IBM XForce Threat
detailing a “recent wave” of exploitations associated with the Coronavirus. “They
are composed of different representations of the current date and the Japanese
word for ‘notification,’ in order to suggest urgency.”
The researchers were able to retrace the infection
process after running the attached document – an Office 365 message telling the
victim to enable the content to sidestep protected view – through a sandbox.
If the attachment in one of the samples “has been opened with
macros enabled, an obfuscated VBA macro script opens powershell and installs an
Emotet downloader in the background,” typical behavior for the bulk of Emotet
documents, they wrote.
“In this case, the file hashes of the
malicious attachments are mostly different; nevertheless, the extracted macros are
using the same obfuscation technique as other Emotet emails observed in the
past few weeks,” the report said.
Explaining that Japanese Emotet emails previously
“have been focused on corporate style payment notifications and invoices,
following a similar strategy as emails targeting European victims,” the report
said, the new delivery approach “may be significantly more successful, due to
the wide impact of the coronavirus and the fear of infection surrounding it.”
“After any major global event, disaster, or catastrophe, we see criminals piggyback onto the news cycle to try and get unsuspecting victims to click on links or download files in order to spread their malware,” said Javvad Malik, security awareness advocate at KnowBe4, who noted that last week miscreants sent out malware “exploiting the unfortunate helicopter crash which claimed the lives of Kobe Bryant, his daughter and several others.”
The advice to users is always the same, he said, “remain careful with anything relating to major news stories, emails, attachments, and social media, texts on your phone, anything! There will be a number of scams related to this, so please remember to Think Before You Click!”