A new report by IBM X-Force Exchange found that cybercriminals are taking advantage of the coronavirus outbreak, and using it to spread malware.

"The practice of leveraging worldwide events by basing malicious emails on current important topics has become common among cybercriminals. Such a strategy is able to trick more victims into clicking malicious links or opening malicious files, ultimately increasing the effectiveness of a malware campaign," notes IBM. 

X-Force discovered the first campaign of this type, in which the outbreak of a biological virus is used as a means to distribute a computer virus. IBM researchers say that what makes these attacks rather special, is the fact that they deliver the Emotet trojan, which has shown increased activity recently. The virus urges its victims into opening an attached Word document, described as a supposed notice regarding infection prevention measures.

The emails appear to be sent by a disability welfare service provider in Japan, says IBM. The text briefly states that there have been reports of coronavirus patients in the Gifu prefecture in Japan and urges the reader to view the attached document. 

After IBM researchers ran the document through a sandbox, they could retrace the infection process: If the attachment has been opened with macros enabled, an obfuscated VBA macro script opens powershell and installs an Emotet downloader in the background. This is the typical behavior of most Emotet documents, notes the blog. 

Previously, Japanese Emotet emails have been focused on corporate style payment notifications and invoices, following a similar strategy as emails targeting European victims, says IBM. Researchers note that this new approach to delivering Emotet may be significantly more successful, due to the wide impact of the coronavirus and the fear of infection surrounding it. 

In addition, researchers expect to see more malicious email traffic based on the coronavirus in the future, as the infection and fear spreads. They also expect malicious email traffic to expand to include other languages too, depending on the impact the coronavirus outbreak has.

"Japanese victims were probably targeted due to their proximity to China. Unfortunately, it is quite common for threat actors to exploit basic human emotions such as fear – especially if a global event has already caused terror and panic," say the researchers. 

Researchers recommend that users:

  • Do not click or open links in emails directly, instead type in the main URL in browser or search the brand/company via a preferred search engine.
  • Ensure anti-virus software and associated files are up to date.
  • Search for existing signs of the indicated IOCs in environment.
  • Block all URL and IP based IOCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.
  • Keep applications and operating systems running at the current released patch level.