IBM X-Force has identified a spam campaign targeting users in Japan that employs the coronavirus scare as a lure to encourage people to open malicious emails. The messages contain Microsoft Office files loaded with macros that, when enabled, launch an infection routine that delivers the Emotet Trojan.

In general, Emotet is very focused on infecting companies in North America and some parts of Europe, but we are seeing it diversify its activity in the past few months. Is Emotet changing its attack turf by spamming in Japan? Emotet has been provisioning access for the TrickBot gang, especially where Ryuk ransomware attacks follow. With TrickBot operating more frequently in Japan, it is no surprise that Emotet is expanding its reach in the region.

Japan is also becoming a more lucrative target for all cybercrime groups ahead of the 2020 Olympic games, which are scheduled to take place in the country’s capital in the summer of 2020.

A Timely Spam Campaign

How did Emotet get to write coherent spam in Japanese? Copies of the emails used in the Emotet campaign were apparently compromised legitimate emails concerning the Coronavirus outbreak. Some of the email samples that IBM X-Force researchers have captured in our spam traps show details that would make this spam appear quite legitimate.

Figure 1: Sample emails from spam captured by IBM X-Force research

Machine translation of the text provides the email’s context:

Jurisdiction Tsusho / Facility Related Disability Welfare Service Provider We become indebted to. Patients were reported about the new type of coronavirus-related pneumonia, mainly in Takeshi, China. In Japan, patients are being reported in Osaka Prefecture. Along with the anticipated increase in the number of visitors to Japan, a separate notice has been issued. Therefore, please check the attached notice.

As an example, the following footer on one of the email formats included information from the legitimate website of the Kyoto prefecture:

Kyoto Prefectural Yamashiro Minami Public Health Center welfare room (in charge: Umino) 18-1 Kizu Ueto, Kizugawa City, Kyoto Prefecture 619-0214, Japan Telephone: 0774-72-0979 FAX: 0774-72-8412

Inside the spam, those who click to read the message will find a rather standard poisoned Word file with macros to enable.

Figure 2: Emotet infection launcher concealed in a Word document (Source: IBM X-Force)

The infection flow is also familiar from other recent Emotet infection routines, starting with malicious PowerShell scripts that end up fetching and running executable files. The eventual payload is an Emotet Trojan file:

Figure 3: Emotet infection routine as observed via spam emails in Japan (Source: IBM X-Force)

For indicators of compromise (IoCs) from this campaign, check out our X-Force Exchange collection.

Keep Botnet Spam Out of Your Networks

Cybercriminals are fond of riding trending news subjects to spread malspam. The more resilient ones may get through some security controls, which can make keeping sophisticated, self-propagating malware out of enterprise networks a bit of a challenge. Here are some tips that can help security teams reduce the risk of infection via botnet spam:

  • Have an incident response plan that corresponds with a threat like Emotet. Since this malware can usher in a widespread ransomware attack, your teams will have to quickly escalate, contain and remedy it before further damage can take place.
  • Educate users about threats like Emotet and its specific tactics of inserting itself into conversations to lure email recipients into opening attachments.
  • Ensure systems are patched on time.
  • Update endpoint detection and response (EDR) and anti-virus solutions deployed throughout your environment.
  • Segregate networks to limit the reach of self-propagating malware.
  • Review privileged access and privileged users to enforce principles of least privilege.
  • Keep up to date on blacklists of malicious IPs and compromised websites malware uses to spread.
  • Use an email security tool that features attachment inspection and disable the ability to run macros from attachments if your business does not use them frequently.
  • Keep up to date on threat intelligence that can help you stay aware of emerging campaigns and talk to your teams about them.

Advanced malware protection solutions can help mitigate the risk of infection by Emotet and other banking Trojans. If your team requires incident response support, please contact the IBM X-Force Incident Response and Intelligence Services (IRIS) team.

For security incident emergencies, contact us at: US hotline 1-888-241-9812 | Global hotline (+001) 602-220-1440

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - Summary As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today