Light Dark
February 5, 2020 By Limor Kessem
Ashkan Vila
3 min read
Malware
Threat Intelligence

IBM X-Force has identified a spam campaign targeting users in Japan that employs the coronavirus scare as a lure to encourage people to open malicious emails. The messages contain Microsoft Office files loaded with macros that, when enabled, launch an infection routine that delivers the Emotet Trojan.

In general, Emotet is very focused on infecting companies in North America and some parts of Europe, but we are seeing it diversify its activity in the past few months. Is Emotet changing its attack turf by spamming in Japan? Emotet has been provisioning access for the TrickBot gang, especially where Ryuk ransomware attacks follow. With TrickBot operating more frequently in Japan, it is no surprise that Emotet is expanding its reach in the region.

Japan is also becoming a more lucrative target for all cybercrime groups ahead of the 2020 Olympic games, which are scheduled to take place in the country’s capital in the summer of 2020.

A Timely Spam Campaign

How did Emotet get to write coherent spam in Japanese? Copies of the emails used in the Emotet campaign were apparently compromised legitimate emails concerning the Coronavirus outbreak. Some of the email samples that IBM X-Force researchers have captured in our spam traps show details that would make this spam appear quite legitimate.

Figure 1: Sample emails from spam captured by IBM X-Force research

Machine translation of the text provides the email’s context:

Jurisdiction Tsusho / Facility Related Disability Welfare Service Provider We become indebted to. Patients were reported about the new type of coronavirus-related pneumonia, mainly in Takeshi, China. In Japan, patients are being reported in Osaka Prefecture. Along with the anticipated increase in the number of visitors to Japan, a separate notice has been issued. Therefore, please check the attached notice.

As an example, the following footer on one of the email formats included information from the legitimate website of the Kyoto prefecture:

Kyoto Prefectural Yamashiro Minami Public Health Center welfare room (in charge: Umino) 18-1 Kizu Ueto, Kizugawa City, Kyoto Prefecture 619-0214, Japan Telephone: 0774-72-0979 FAX: 0774-72-8412

Inside the spam, those who click to read the message will find a rather standard poisoned Word file with macros to enable.

Figure 2: Emotet infection launcher concealed in a Word document (Source: IBM X-Force)

The infection flow is also familiar from other recent Emotet infection routines, starting with malicious PowerShell scripts that end up fetching and running executable files. The eventual payload is an Emotet Trojan file:

Figure 3: Emotet infection routine as observed via spam emails in Japan (Source: IBM X-Force)

For indicators of compromise (IoCs) from this campaign, check out our X-Force Exchange collection.

Keep Botnet Spam Out of Your Networks

Cybercriminals are fond of riding trending news subjects to spread malspam. The more resilient ones may get through some security controls, which can make keeping sophisticated, self-propagating malware out of enterprise networks a bit of a challenge. Here are some tips that can help security teams reduce the risk of infection via botnet spam:

  • Have an incident response plan that corresponds with a threat like Emotet. Since this malware can usher in a widespread ransomware attack, your teams will have to quickly escalate, contain and remedy it before further damage can take place.
  • Educate users about threats like Emotet and its specific tactics of inserting itself into conversations to lure email recipients into opening attachments.
  • Ensure systems are patched on time.
  • Update endpoint detection and response (EDR) and anti-virus solutions deployed throughout your environment.
  • Segregate networks to limit the reach of self-propagating malware.
  • Review privileged access and privileged users to enforce principles of least privilege.
  • Keep up to date on blacklists of malicious IPs and compromised websites malware uses to spread.
  • Use an email security tool that features attachment inspection and disable the ability to run macros from attachments if your business does not use them frequently.
  • Keep up to date on threat intelligence that can help you stay aware of emerging campaigns and talk to your teams about them.

Advanced malware protection solutions can help mitigate the risk of infection by Emotet and other banking Trojans. If your team requires incident response support, please contact the IBM X-Force Incident Response and Intelligence Services (IRIS) team.

For security incident emergencies, contact us at: US hotline 1-888-241-9812 | Global hotline (+001) 602-220-1440

 |  |  |  |  |  |  |  |  |  |  |  |  |  | 
Limor Kessem
Principal Consultant, X-Force Cyber Crisis Management, IBM
Ashkan Vila
Security Analyst – IBM

More from Malware
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

June 6, 2023

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature