Quick Heal claims Hackers riding on the global panic pertaining to the deadly Coronavirus
The Coronavirus has created pandemonium across the world creating an atmosphere of a health crisis for the global populace. Cyber attackers are lurking into this phenomenon as an opportunity, less of a catastrophe. Multiple instances of malicious, automated emails have been reported in several continents that are getting spooled with ‘Coronavirus’ as a theme.
The content of these emails is smartly written, consisting of an attachment that claims to provide information on prevention and precaution of the virus. When recipients click on this attachment to view the content, one virus used to propagate another. What’s worse is attackers are distributing the infamous Emotet Trojan through these malicious attachments.
Currently, the major reported instances are seen in regions closer to the Coronavirus’ point of origination. Hence, emails written primarily in Japanese and other Asian languages are seen circulated with the attachment heading composed in the regional language, on purpose. To make these emails sound ‘very urgent,’ attackers are ensuring that they add current dates to these emails.
To give a sense of the situation, emails are being sent from fake email IDs of local health organizations that pretend to alarm about the virus’ outbreak in that region. For example, emails can be sent from fake email IDs of health institutions in the Philippines, the content of which will be on the lines of, “The Coronavirus has impacted Manila with the first official patient diagnosed in the Philippine General Hospital.”
Hackers are even forging the official mailing addresses, phone & fax numbers of these institutions to make the communication sound very genuine and legitimate.
Previously, malicious emails that contained Emotet were propagated to lure a corporate target audience, in Asia as well as in Europe. This style though, analysts say, can be far more successful as bait considering the deep impact of the implications of Coronavirus.
Attached in an Office 365 email, it asks the users to enable content if the document is being opened in a protected view. As with most Emotet email attacks, if the attachment is opened with ‘macros enabled’ it automatically infuses an obfuscated VBA macro script that further opens PowerShell and downloads and installs an Emotet downloader in the background. The extracted macros then use the same predictable obfuscation techniques. Other than Emotet, analysts also observe a swarm of Coronavirus themed spam campaigns. However, this modus operandi is malicious and fake!
Obviously, hackers will try to maximize this opportunity and accelerate the spread of malware through these fake documents. Hacker proximity is predicted to be directly proportional with the regions that ‘Coronavirus’ penetrates. We will see more of such mal-campaigns targeted towards several other demographic regions with emails written in the respective native languages.
Coronavirus, unfortunately, is predicted to spread (with cases exceeding SARS) making it inevitable that cybercrime will continue to thrive through it. Awareness is the only key.