momius - stock.adobe.com
Cyber criminals are spreading the highly dangerous off-the-shelf Emotet phishing Trojan-turned-botnet by exploiting widespread fears of infection by the novel or Wuhan coronavirus.
The first reports that cyber criminals were predictably playing on potential popular panic as the coronavirus spreads emerged at the end of January, when researchers at Kaspersky found around 10 malicious files disguised as legitimate ones that implied they contained useful information about the real-world threat.
In reality the files, which pretended to be .pdf, .mp4 and .docx files, contained Trojans or worms intended to destroy, block, modify or copy and exfiltrate sensitive data.
The updated Emotet campaign first emerged targeting users in Japan, according to IBM’s X-Force threat intelligence service, which uncovered the new tactics earlier in February. Disguised as an email from a provider of disability welfare services, the Emotet coronavirus campaign has targeted users in several Japanese prefectures.
The researchers said this was a departure from the more usual tactic of disguising Emotet as a payment or invoice, but said it was likely to be a “significantly more successful” tactic given the scale of public awareness of the illness.
The campaign is likely to evolve to incorporate other languages, depending on the impact that coronavirus has in other countries – Japanese victims have clearly been targeted due to their geographic proximity to China, they said.
“Over the past several years since Emotet was discovered in 2014, it has established itself as a pervasive and continually evolving threat, morphing from a prominent banking trojan to modular spam and malware as a service that can carry drops and propagate in the network very effectively,” Radware’s vice-president of technologies, Yaniv Hoffman, told Computer Weekly.
“One of the main abilities of Emotet is that it stays topical, and we will see campaigns similar to those leveraging fear of the coronavirus throughout the year. As the US enters tax season, for example, Emotet is gearing up to offer the public help to file the forms on their behalf.
“The email messages will not be sophisticated and can contain a link to download infected files or will have an attachment of a fake W9 form. We can anticipate that malware campaigns related to tax season will continue towards the filling date in April.”
The best way for users to protect themselves against threats exploiting the coronavirus is to trust only official government or health service guidance, or legitimate news services. In IT terms, standard guidance to use antivirus programs with automatic updates, to download and apply patches and software updates, and to not open suspicious or unsolicited emails, applies.
Radware’s Hoffman said that organisations should first make sure they have incident response plans in place that correspond to threats such as Emotet so that security teams can contain and mitigate the threat before it causes damage. User education about email threats is also vital, he added.
Hoffman added that the coronavirus panic might also be an opportunity for security leaders to consider implementing a zero-trust approach to their security posture.
RSA Conference going ahead
Meanwhile, RSA has issued an update on the status of its annual RSA Conference in San Francisco, which is scheduled to get underway on 23 February.
This comes as mobile industry trade body the GSMA cancels Mobile World Congress (MWC) 2020 after multiple exhibitors, including Amazon, Ericsson, LG, Nokia, Nvidia and Vodafone pulled out of the show. Ordinarily, more than 100,000 people would have attended MWC, many from China.
RSA said: “We feel that it is important to communicate that there were nine companies from China signed up to exhibit at RSA Conference 2020. Out of those nine companies, six have cancelled due to travel restrictions. We’re reaching out to the remaining three companies to gain a better understanding of their unique situation and will update this communication with more details once we have additional clarity.
“To-date, the number of individuals who have had to cancel their registration due to travel restrictions is approximately 0.2% of the total number of expected attendees. Among those individuals who have had to cancel, two were scheduled to speak at RSA Conference 2020. Again, we will continue to monitor the situation and will update this communication as appropriate.
“RSA Conference continues to monitor and assess new developments pertaining to the novel coronavirus originating in China. The health and safety of our attendees and exhibitors is our top priority.”
Read more about Emotet
- The high-volume Emotet campaign is back in action after the Christmas holidays, and is just as dangerous as ever.
- Cybereason sounds off on the recently discovered Emotet-Ryuk-TrickBot 'triple threat' campaign and highlights interesting features of the attack technique used by cyber criminals.
- A report on cybercrime shows a rise in banking Trojans, such as Emotet, targeting businesses over consumers. Malwarebytes’ Adam Kujawa shares his thoughts on what's behind this shift.