Cyber criminals are using the fear surrounding the coronavirus outbreak to infect the devices of unsuspecting victims with malware.
The emails flagged by Kaspersky contained malware hidden within PDF, docx and MP4 files, implying that they claimed to have information on coronavirus protection, detection and developments.
Anton Ivanov, a malware analyst at Kaspersky, said: “The corona virus, which is currently hotly debated in the media, has been used as a bait by cybercriminals. So far, we’ve only identified ten unique files, but since this type of activity is common to popular media topics, we expect this number to increase. As people continue to worry about their health, fake documents that are said to educate them about the corona virus may be spreading more and more malware.”
IBM X-Force’s findings
Meanwhile, IBM X-Force discovered emails with attached Word documents infected with the Emotet malware.
The emails, sent to people in Japan, state that the coronavirus has reached several Japanese prefectures and urge the recipient to open the attached document for more information. Once they do, Emotet is installed on their device.
IBM X-Force believes that “This new approach to delivering Emotet may be significantly more successful, due to the wide impact of the coronavirus and the fear of infection surrounding it”. It also expects similar emails to target other countries.
Emotet began as a banking Trojan in 2014 and was used to steal users’ credentials and financial information by scraping and eavesdropping on network traffic. The compromised information was sent back to command-and-control servers through cookies in HTTP requests.
Since then, Emotet has evolved to be run as malware-as-a-service, allowing cyber attackers to use it to distribute different payloads.
The extent of the coronavirus campaign
Only several emails have been caught so far, so the extent of the malware campaign cannot be fully gauged.
Kaspersky Lab said that “The current number of infected users is not high enough to comprehensively know about the distribution methods of these files. But looking at previous cases, we can assume that users receive them from prepared attackers’ sites on the subject of coronavirus and via malicious email.”