IBM X-Force has identified a spam campaign targeting users in Japan that employs the coronavirus scare as a lure to encourage people to open malicious emails. The messages contain Microsoft Office files loaded with macros that, when enabled, launch an infection routine that delivers the Emotet Trojan.

In general, Emotet is very focused on infecting companies in North America and some parts of Europe, but we are seeing it diversify its activity in the past few months. Is Emotet changing its attack turf by spamming in Japan? Emotet has been provisioning access for the TrickBot gang, especially where Ryuk ransomware attacks follow. With TrickBot operating more frequently in Japan, it is no surprise that Emotet is expanding its reach in the region.

Japan is also becoming a more lucrative target for all cybercrime groups ahead of the 2020 Olympic games, which are scheduled to take place in the country’s capital in the summer of 2020.

A Timely Spam Campaign

How did Emotet get to write coherent spam in Japanese? Copies of the emails used in the Emotet campaign were apparently compromised legitimate emails concerning the Coronavirus outbreak. Some of the email samples that IBM X-Force researchers have captured in our spam traps show details that would make this spam appear quite legitimate.

Figure 1: Sample emails from spam captured by IBM X-Force research

Machine translation of the text provides the email’s context:

Jurisdiction Tsusho / Facility Related Disability Welfare Service Provider We become indebted to. Patients were reported about the new type of coronavirus-related pneumonia, mainly in Takeshi, China. In Japan, patients are being reported in Osaka Prefecture. Along with the anticipated increase in the number of visitors to Japan, a separate notice has been issued. Therefore, please check the attached notice.

As an example, the following footer on one of the email formats included information from the legitimate website of the Kyoto prefecture:

Kyoto Prefectural Yamashiro Minami Public Health Center welfare room (in charge: Umino) 18-1 Kizu Ueto, Kizugawa City, Kyoto Prefecture 619-0214, Japan Telephone: 0774-72-0979 FAX: 0774-72-8412

Inside the spam, those who click to read the message will find a rather standard poisoned Word file with macros to enable.

Figure 2: Emotet infection launcher concealed in a Word document (Source: IBM X-Force)

The infection flow is also familiar from other recent Emotet infection routines, starting with malicious PowerShell scripts that end up fetching and running executable files. The eventual payload is an Emotet Trojan file:

Figure 3: Emotet infection routine as observed via spam emails in Japan (Source: IBM X-Force)

For indicators of compromise (IoCs) from this campaign, check out our X-Force Exchange collection.

Keep Botnet Spam Out of Your Networks

Cybercriminals are fond of riding trending news subjects to spread malspam. The more resilient ones may get through some security controls, which can make keeping sophisticated, self-propagating malware out of enterprise networks a bit of a challenge. Here are some tips that can help security teams reduce the risk of infection via botnet spam:

  • Have an incident response plan that corresponds with a threat like Emotet. Since this malware can usher in a widespread ransomware attack, your teams will have to quickly escalate, contain and remedy it before further damage can take place.
  • Educate users about threats like Emotet and its specific tactics of inserting itself into conversations to lure email recipients into opening attachments.
  • Ensure systems are patched on time.
  • Update endpoint detection and response (EDR) and anti-virus solutions deployed throughout your environment.
  • Segregate networks to limit the reach of self-propagating malware.
  • Review privileged access and privileged users to enforce principles of least privilege.
  • Keep up to date on blacklists of malicious IPs and compromised websites malware uses to spread.
  • Use an email security tool that features attachment inspection and disable the ability to run macros from attachments if your business does not use them frequently.
  • Keep up to date on threat intelligence that can help you stay aware of emerging campaigns and talk to your teams about them.

Advanced malware protection solutions can help mitigate the risk of infection by Emotet and other banking Trojans. If your team requires incident response support, please contact the IBM X-Force Incident Response and Intelligence Services (IRIS) team.

For security incident emergencies, contact us at: US hotline 1-888-241-9812 | Global hotline (+001) 602-220-1440

More from Malware

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read