Coronavirus Malware Attacks Increase – Hackers Exploit Coronavirus COVID-19 Fear to Spread Malware
Cyber security researchers at IBM spotted new malware campaigns exploiting people’s concerns about the spread of the novel Coronavirus. It’s not unusual for cybercriminals to take advantage of global events, social phenomena, tragedies, or natural disasters to spread malware in order to maximize the impact. Opportunistic hackers are once again leveraging the novel Coronavirus, now formerly known as COVID-19, with virus themed emails and malware attacks. The attackers are attempting to deliver Emotet malware along with a Coronavirus countermeasures document to potential victims. The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) recently warned of a rise in Emotet malware attacks against businesses and small government entities. Kaspersky and IBM X-Force both have found a wave of new phishing emails loaded with malware capitalizing fear surrounding the coronavirus infection.
What is Emotet Malware?
Emotet malware is a banking Trojan. A banking Trojan, also known as a banker trojan, is a malicious computer code that redirects traffic from banking and financial websites to try and collect the victim’s confidential information like username and password from the infected device. Emotet malware, also known as, Geodo and Mealybug, steals user credentials stored in the victim’s web browser by eavesdropping on network traffic. More recent iterations of Emotet function as more of a downloader, or dropper, of other malware to the infect device.
The US Internal Revenue Service warned of two variations of phishing campaigns that also involves Emotet. The phishing email attachment is disguised as an IRS W-9 tax form. If downloaded, the attachment launches Emotet malware. In attack this month, CISA reported that an oil pipeline facility went offline for two days after a successful malware attack infiltrated process and control computers. Ransomware was delivered through a spear phishing campaign.
Coronavirus Malware Attacks
There are three variations of this email, all written in Japanese and structured as Office 365 messages. The phishing email encourages the recipients to open an MS Word document attachment that is supposedly a notice regarding infection prevention measures. Cyber security researchers from IBM X-Force found that the subject of the three variations are not identical, but similar.
With the first COVID-19 phishing email, the subject line claims to be a notice and the body of the email has language about reports of Coronavirus patients in the Gifu prefecture of Japan. The second sample is almost identical content but claims there is an outbreak in Osaka instead. And finally, the third phishing email talks about infections in Tottori prefecture. If the attachment of email number three is opened with macros enabled, an obfuscated VBA macro script opens PowerShell and installs an Emotet downloader in the background.
Malware campaigns and Coronavirus phishing emails were quick to emerge as the virus escaped China and started its spread across the globe. Hackers waste no time retooling their cyber attacks to look like helpful information for potential victims. One of the early Coronavirus themed malware campaigns, was spotted by Kaspersky Labs. The emails mostly targeted people in Australia, Austria, Barbados, Germany, Hong Kong, Japan, Malaysia, Singapore, Spain, Switzerland, the United Arab Emirates, the United Kingdom and the United States. This attack was deemed to be the work of hacking group TAS542.
Yet, another early Coronavirus phishing campaign claims to be from the United States Center for Disease Control (CDC) virologists. The email does contain some slightly useful information like helpful virus prevention tips to increase its credibility and the likelihood the recipient will click on links or open attachments. The email of course, is malicious and contains malware downloaders.
How to Detect Fake Coronavirus Emails
It is important that individuals scrutinize their personal and work emails very carefully. Once a device is infected, it can pass the malware or computer virus to other devices – from home to work or the other way too. If someone were to view a malicious malware attachment on their home laptop and work computer, both devices could be infected. Phishing emails use scare tactics and a sense of urgency to get the person to act quickly and not think too long about the consequence of their actions. In the case of a spear phishing emails, the contents of the email may be personalized with the recipient’s name, workplace, or other information gleaned from social media or a work website.
- Do not open emails if you do not know the sender. Look carefully at the email box name, not just the friendly name. If you don’t understand the difference between these two, the read our guide on how to spot a phishing email
- Never open email attachments if you were not expecting something from someone you know. When in doubt, call or message the sender to see if the email is legitimate
- Disable macros on your Microsoft products like Word and Excel. Malicious macros are a top way to deliver malware
- Don’t open ANY Corononavirus COVID-19 emails. Stay Informed about COVID-19. Get rolling updates directly from the World Health Organization website