• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Crooks start exploiting Coronavirus as bait to spread malware

Crooks start exploiting Coronavirus as bait to spread malware

Pierluigi Paganini February 01, 2020

Security researchers warn of malspam campaigns aimed at spreading malware that exploits media attention on the coronavirus epidemic.

Unscrupulous cybercriminal groups are attempting to exploit media attention on the coronavirus to infect systems worldwide.

Recently, coronavirus is monopolizing media attention, users online are searching for information about the virus and the way it is rapidly spreading worldwide.

coronavirus

In this scenario, it is quite easy for crooks to use this topic to trick victims into opening weaponized documents or visiting malicious websites.

Terms such as ‘Wuhan’ (the city that is considered the epicenter of infection) and ‘coronavirus’ are trend topics on social networks.

Cybercrime groups who have already started malspam attacks that attempt to take advantage of the high interest of online users on the topic, we have observed similar scenarios in the past immediately after natural disasters and other tragedies.

Mindful of what has happened in the p I have immediately alerted the group of researchers from Cybaze-Yoroi Z-Lab malware laboratory asking them to remain vigilant on any spam campaigns aimed at distributing malicious codes by spreading bait documents that p information about the coronavirus.

While media were confirming the first cases of coronavirus infections, the researchers of Cybaze-Yoroi Z-Lab observed the bait spam emails promising info on the virus, the messages were used to spread of versions of the well-known Emotet malware.

Researchers from Z-Lab confirmed that at the time of their analysis, attackers were using specially-crafted messages to lure victims into opening weaponized office documents. The bait documents were containing macros used to down, while the versions of Emotet used are the same as those observed in campaigns in recent months.

According to security firm Kaspersky, attackers are using several types of malicious files, including pdf, mp4 and docx with “coronavirus” theme to spread malware. Many of the files used in the attacks observed by the experts in these hours are presented as documents containing information about the virus, its diffusion, and instructions on how to prevent the contagion.

The bait documents are used to deliver several types of malware, including banking Trojans, ransomware and worms.

“We have only observed 10 unique files but, as often happens with topics of general interest, we expect this trend to grow. Given that this is a topic that is generating great concern among people all over the world, we are confident that we will detect more and more malware hiding behind false documents on the spread of the coronavirus, “explained Anton Ivanov, Kaspersky’s malware analyst.

Security experts from IBM X-Force p a more technical report that describes an ongoing campaign targeting Japanese users in the attempt of spreading the Emotet malware.

“X-Force discovered the first campaign of this type, in which the outbreak of a biological virus is used as a means to distribute a computer virus. What makes these attacks rather special, is the fact that they deliver the Emotet trojan, which has shown increased activity recently.” reads the analysis published by IBM. “It achieves this by urging its victims into opening an attached Word document, described as a supposed notice regarding infection prevention measures.”

IBM confirmed that crooks were exploiting the interest on coronavirus to spread the Emotet banking trojan through bait word documents spread via e-mail.

“By analyzing of the indicators of compromise provided by IBM X-FORCE, I can confirm that the EMOTET variant employed in this “coronavirus” campaign has been already widely used in past “corporate style payment” campaigns. The fingerprint associated with this malware links to fake invoice documents recently observed in most EMOTET campaigns.” Explained Antonio Pirozzi, head of Cybaze-Yoroi Zlab.

“The report published by Kaspersky includes signatures collected by its telemetry, come of them confirm the presence of different possible active campaigns delivering other families of malware. Kaspersky researchers have identified only ten unique files, as reported by the malware analyst Anton Ivanov, but obviously this is an indication that several actors are exploiting the attention on the coronavirus topic, and the trend could grow up in the next hours.”

IBM provides some examples of e-mails apparently sent by a disability welfare service provider in Japan.

coronavirus

The text of the messages states that there have been reports of coronavirus infections in some prefectures in Japan and urges the reader to view the attached document.

"Jurisdiction tsusho / facility related disability welfare service providerWe become indebted to.Patients were reported about the new type of coronavirus-related pneumonia, mainly in Takeshi, China.In Japan, patients are being reported in Osaka Prefecture,Along with the anticipated increase in the number of visitors to Japan, a separate notice has been issued.Therefore, please check the attached notice," reads the content of the email.

Following a consolidated infection pattern, once the document has been opened, the user displays the request to enable the macros to view its contents. Unfortunately, by enabling macros, the machine infection process starts, a powershell is silently executed to download and install a version of the Emotet trojan.

“After running the document through a sandbox, we could retrace the infection process. If the attachment of sample 3 has been opened with macros enabled, an obfuscated VBA macro script opens powershell and installs an Emotet downloader in the background. This is the typical behaviour of most Emotet documents.” continues IBM.

What will happen in the next few weeks?

In the next weeks, a growing number of threat actors will exploit the coronavirus theme, let me suggest to follow some simple tips to prevent the infection:

  • Do not open suspicious links inviting you to view coronavirus information. These links can be spread through email, instant messaging app messages such as WhatsApp, and also social networks. Always search for coronavirus information from reliable and legitimate sources, ignore any unsolicited messages, even if they come from people you trust.
  • Keep your software systems up to date, and use a reliable security solutions on your desktop and mobile systems.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – coronavirus, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

EMOTET Hacking hacking news information security news Pierluigi Paganini Security Affairs Security News Trojan

you might also like

Pierluigi Paganini July 26, 2025
Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme
Read more
Pierluigi Paganini July 25, 2025
Operation CargoTalon targets Russia’s aerospace with EAGLET malware,
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

    Security / July 25, 2025

    Koske, a new AI-Generated Linux malware appears in the threat landscape

    Malware / July 25, 2025

    Mitel patches critical MiVoice MX-ONE Auth bypass flaw

    Security / July 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT