Cyber criminals cash in on coronavirus fears

Read time 2min 40sec

While the spread of coronavirus grows, and the situation becomes more dire with the World Health Organisation declaring the deadly virus a global health crisis last week, cyber criminals are already exploiting people’s fears about the situation and spreading malware.

Attackers have been using worldwide disasters, and current and popular events, to spread malware as these events are more likely to fool users into clicking on malicious links or opening malicious files.

In a report by IBM X-Force Exchange, researchers revealed that they have detected a new wave of such exploitation, driven by the outbreak of the coronavirus in China.

“Unfortunately, it is quite common for threat actors to exploit basic human emotions such as fear, especially if a global event has already caused terror and panic," say the researchers. 

What makes these attacks unusual, according to X-Force,  is that they deliver the Emotet Trojan, which has shown increased activity recently. 

“It achieves this by urging its victims into opening an attached Word document, described as a supposed notice regarding infection prevention measures,” says IBM.

The e-mails pose as legitimate mails sent by a Japanese disability welfare service provider. The text claims that reports have been circulating about coronavirus patients in the Gifu prefecture in Japan and urges the target to view the attached Word document for more detail.

However, once IBM researchers ran the document through a sandbox, they were able to retrace the infection process. Should the attachment be opened with macros enabled, an obfuscated Visual Basic for Applications (VBA) macro script opens PowerShell and installs an Emotet downloader in the background. This is the standard behaviour of most Emotet documents, the company says. 

In the past, Emotet e-mails in Japan have centred around corporate style payment notifications and invoices, much like the ones that have been seen targeting European victims, the researchers say. They note that this new approach to delivering the Trojan could be infinitely more successful as it is capitalising on the wide impact of the disease and the fear of infection surrounding it.

IBM says it expects malicious e-mail traffic based on the coronavirus to increase in the coming wees, as the virus and, with it, the fear of infection spreads. 

Researchers speculate that Japanese users were most likely targeted due to their close proximity to China. They expect malicious e-mail traffic to start including other languages as well, depending on the impact of the outbreak and the regions it spreads to.

The report recommends to make sure that anti-virus software and associated files are up to date, and search for indicators of compromise in their environment.

Block all URL and IP-based IOCs at the firewall, IDS, Web gateways, routers or other perimeter-based devices, and keep applications and operating systems running at the current released patch level,” IBM researchers conclude.

See also