IBM X-Force has identified a spam campaign targeting users in Japan that employs the coronavirus scare as a lure to encourage people to open malicious emails. The messages contain Microsoft Office files loaded with macros that, when enabled, launch an infection routine that delivers the Emotet Trojan.
In general, Emotet is very focused on infecting companies in North America and some parts of Europe, but we are seeing it diversify its activity in the past few months. Is Emotet changing its attack turf by spamming in Japan? Emotet has been provisioning access for the TrickBot gang, especially where Ryuk ransomware attacks follow. With TrickBot operating more frequently in Japan, it is no surprise that Emotet is expanding its reach in the region.
Japan is also becoming a more lucrative target for all cybercrime groups ahead of the 2020 Olympic games, which are scheduled to take place in the country’s capital in the summer of 2020.
A Timely Spam Campaign
How did Emotet get to write coherent spam in Japanese? Copies of the emails used in the Emotet campaign were apparently compromised legitimate emails concerning the Coronavirus outbreak. Some of the email samples that IBM X-Force researchers have captured in our spam traps show details that would make this spam appear quite legitimate.
Figure 1: Sample emails from spam captured by IBM X-Force research
Machine translation of the text provides the email’s context:
Jurisdiction Tsusho / Facility Related Disability Welfare Service Provider
We become indebted to.
Patients were reported about the new type of coronavirus-related pneumonia, mainly in Takeshi, China.
In Japan, patients are being reported in Osaka Prefecture. Along with the anticipated increase in the number of visitors to Japan, a separate notice has been issued.
Therefore, please check the attached notice.
As an example, the following footer on one of the email formats included information from the legitimate website of the Kyoto prefecture:
Kyoto Prefectural Yamashiro Minami Public Health Center welfare room (in charge: Umino)
18-1 Kizu Ueto, Kizugawa City, Kyoto Prefecture 619-0214, Japan
Telephone: 0774-72-0979
FAX: 0774-72-8412
Inside the spam, those who click to read the message will find a rather standard poisoned Word file with macros to enable.
Figure 2: Emotet infection launcher concealed in a Word document (Source: IBM X-Force)
The infection flow is also familiar from other recent Emotet infection routines, starting with malicious PowerShell scripts that end up fetching and running executable files. The eventual payload is an Emotet Trojan file:
Figure 3: Emotet infection routine as observed via spam emails in Japan (Source: IBM X-Force)
For indicators of compromise (IoCs) from this campaign, check out our X-Force Exchange collection.
Keep Botnet Spam Out of Your Networks
Cybercriminals are fond of riding trending news subjects to spread malspam. The more resilient ones may get through some security controls, which can make keeping sophisticated, self-propagating malware out of enterprise networks a bit of a challenge. Here are some tips that can help security teams reduce the risk of infection via botnet spam:
- Have an incident response plan that corresponds with a threat like Emotet. Since this malware can usher in a widespread ransomware attack, your teams will have to quickly escalate, contain and remedy it before further damage can take place.
- Educate users about threats like Emotet and its specific tactics of inserting itself into conversations to lure email recipients into opening attachments.
- Ensure systems are patched on time.
- Update endpoint detection and response (EDR) and anti-virus solutions deployed throughout your environment.
- Segregate networks to limit the reach of self-propagating malware.
- Review privileged access and privileged users to enforce principles of least privilege.
- Keep up to date on blacklists of malicious IPs and compromised websites malware uses to spread.
- Use an email security tool that features attachment inspection and disable the ability to run macros from attachments if your business does not use them frequently.
- Keep up to date on threat intelligence that can help you stay aware of emerging campaigns and talk to your teams about them.
Advanced malware protection solutions can help mitigate the risk of infection by Emotet and other banking Trojans. If your team requires incident response support, please contact the IBM X-Force Incident Response and Intelligence Services (IRIS) team.
For security incident emergencies, contact us at: US hotline 1-888-241-9812 | Global hotline (+001) 602-220-1440
Principal Consultant, X-Force Cyber Crisis Management, IBM