Emotet Attacks Spread Alongside Fears of Coronavirus


The rise of the coronavirus globally, but mainly in China, has resulted in the World Health Organization calling on all countries to take urgent measures to contain the disease. As a current Hong Kong resident, and one who is fully engaged with organizations in the APAC region, I can confirm that the fear is palpable.

And now, threat actors are leveraging this fear to issue malicious malware campaigns for personal gain.

The Threat

In the last few days, researchers from IBM X-Force have discovered emails that contain malicious Microsoft Word attachments and are primarily targeting Japan. However, cyber security professionals are not ruling out the possibility of such attacks spreading to broader geographies as the coronavirus likewise spreads.

[You may also like: More Destructive Botnets and Attack Vectors Are on Their Way]

In case of Japan, many of these emails are crafted to appear as though they are coming from local disability welfare service providers. The message states that there have been reports of coronavirus patients in the area (e.g. Gifu and Osaka prefectures), making the readers to more likely click on the attachment for more information and guidance.


Sender:   XXXXXXX Public Health Center (Representative: xxxxx)

Subject: Public Health Center welfare Jan 29 2020

To whom it may concern,

Regarding Coronavirus-infected pneumonia, victims have been reported from Wuhan city in China.

Also domestically in Japan, some victims have been found in Gifu city.

Please find the attached notification and take appropriate action to protect yourselves.


Once the attachment is opened, a VBA macro script opens a powershell and installs an Emotet downloader in the background.

Once the malware is downloaded, Emotet uses the infected system to send out additional phishing emails and spam in an effort to grow the Botnet and later on can be leveraged to scams, ransomware and personal/valuable information theft.

What is Emotet?

Emotet started mainly as financial Trojan malware, whose main goal was to install additional code on endpoints it infected, as well for ransomware purposes, as it can scrape destination’s computers. Thus, it’s a great vehicle for bot infections.

[You may also like: Botnets: DDoS and Beyond]

Per a recent alert issued by the Cybersecurity and Infrastructure Security Agency (CISA), there is “a recent increase in targeted Emotet malware attacks. Emotet is a sophisticated Trojan that commonly functions as a downloader or dropper of other malware. Emotet primarily spreads via malicious email attachments and attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. If successful, an attacker could use an Emotet infection to obtain sensitive information. Such an attack could result in proprietary information and financial loss as well as disruption to operations and harm to reputation.”

A Zero Trust Approach

The typical recommended approach is to always exercise caution when it comes to suspected messages and emails, periodically install official security updates, install Antivirus, and use secure passwords. Yet, organizations can’t rely solely on human behavior to protect their networks and data; they must practice a ZERO TRUST approach.

[You may also like: Threats on APIs and Mobile Applications]

Zero trust is a comprehensive approach to securing all access across your networks, applications, and environment. This approach helps secure access from users, end-user devices, APIs, IoT devices, microservices, containers, and more. It protects your workforce, workloads, and workplace:

  • Workforce: Protects users and their devices against stolen credentials, phishing, and other identity-based attacks
  • Workload: Manages multi-cloud environments and contains lateral movement across the network
  • Workplace: Gains insights into users and devices, identifies threats and maintains control over all connections in your network

Download Radware’s “Hackers Almanac” to learn more.

Download Now

Yaniv Hoffman

Yaniv Hoffman brings more than 20 years of experience in leading high-performance engineering and service teams, specialized in networking, cyber-security and cloud operations. Mr. Hoffman is the Vice President of Technologies. In this role he is responsible for APAC engineering teams (Pre-Sale, Post Sale, Architecture, Professional Services), and drives innovation in technical solutions and delivery while leading sales activities across the region. Prior to this role, he managed the global technical services in Radware, overseeing all customer engagements and customer success.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center