Coronavirus Campaigns Spreading Malware

January 31, 2020

A new report by IBM X-Force Exchange found that cybercriminals are taking advantage of the coronavirus outbreak, and using it to spread malware.

"The practice of leveraging worldwide events by basing malicious emails on current important topics has become common among cybercriminals. Such a strategy is able to trick more victims into clicking malicious links or opening malicious files, ultimately increasing the effectiveness of a malware campaign," notes IBM.

X-Force discovered the first campaign of this type, in which the outbreak of a biological virus is used as a means to distribute a computer virus. IBM researchers say that what makes these attacks rather special, is the fact that they deliver the Emotet trojan, which has shown increased activity recently. The virus urges its victims into opening an attached Word document, described as a supposed notice regarding infection prevention measures.

The emails appear to be sent by a disability welfare service provider in Japan, says IBM. The text briefly states that there have been reports of coronavirus patients in the Gifu prefecture in Japan and urges the reader to view the attached document.

After IBM researchers ran the document through a sandbox, they could retrace the infection process: If the attachment has been opened with macros enabled, an obfuscated VBA macro script opens powershell and installs an Emotet downloader in the background. This is the typical behavior of most Emotet documents, notes the blog.

Previously, Japanese Emotet emails have been focused on corporate style payment notifications and invoices, following a similar strategy as emails targeting European victims, says IBM. Researchers note that this new approach to delivering Emotet may be significantly more successful, due to the wide impact of the coronavirus and the fear of infection surrounding it.

In addition, researchers expect to see more malicious email traffic based on the coronavirus in the future, as the infection and fear spreads. They also expect malicious email traffic to expand to include other languages too, depending on the impact the coronavirus outbreak has.

"Japanese victims were probably targeted due to their proximity to China. Unfortunately, it is quite common for threat actors to exploit basic human emotions such as fear – especially if a global event has already caused terror and panic," say the researchers.

Researchers recommend that users:

Do not click or open links in emails directly, instead type in the main URL in browser or search the brand/company via a preferred search engine.
Ensure anti-virus software and associated files are up to date.
Search for existing signs of the indicated IOCs in environment.
Block all URL and IP based IOCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.
Keep applications and operating systems running at the current released patch level.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

Coronavirus Campaigns Spreading Malware

Related Articles

Related Events

Report Abusive Comment