Highlights

  • The emails are camouflaged to look like they are sent on behalf of public health centers and disability welfare service providers.
  • The reach of the scam is high and has been detected in several regions of Japan, including Osaka, Gifu, and Tottori.
  • Researchers have made a note of suspicious spam email activity that resembles official notifications with respect to coronavirus.

The crime scene

 A group of researchers notified a malspam campaign camouflaged as notifications that gave out more information on preventive measures necessary to combat coronavirus infections, an epidemic in China.

  • The emails are created in such a way that they appear to be sent out on behalf of the disability welfare service provider and public health centers to gain the trust of readers.
  • The threat actors distributed Emotet payloads through their email attachments.
  • The emails promise to offer information on preventive measures to battle coronavirus for Japanese citizens.
  • Researches observe the scam in different regions of the country, such as Osaka, Gifu, and Tottori.

In the past, the Emotet gang had tried similar tricks to bank on similar trending events, where they tried to trap people using the custom holiday for Christmas and Halloween. Here they lured targets by making use of fake invites to Greta Thunberg demonstration.

More on how the coronavirus spam mail operates

Reports from the infosec community state that the malspam campaign worked on stolen emails from past compromised accounts intending to attack the mail recipients. A few experts also signaled that writing the word “Japanese” in the subject line appeared strange. However, that made these spam emails look more sophisticated as compared to other Emotet distribution efforts.

Additionally, the team of IBM X-Force Threat Intelligence also observed that the subject line and the document file names had similarities but were not identical in nature. In fact, they are created with distinct representations keeping the word Japanese to indicate urgency.

Whereas some emails also contained the address of the institution. This information was added in the footer to gain greater authenticity.

Purpose of Emotet attacks

Usually operating with the formula of spam emails, Emotet actors fool prospective recipients to open email attachments that result in download and installation of the malware.

  • The attachment appears to be a standard Emotet malspam Office 365 document template that displays a message to “Enable Content” to properly view the complete document.
  • Post which the macro feature of Microsoft office enables Emotet payload to get installed on the mail recipient’s device, with the help of a PowerShell command.
  • Once the above is done, these spam messages navigate to other systems to spread other malware types such as Trickbot trojan, which is recognized for delivering ransomware.