How Emotet is Evolving to Exploit Coronavirus Panic

The early months of 2020 have been defined by the rapid spread of the COVID-19 coronavirus, which first emerged in China’s Wuhan province in late 2019 and quickly intensified over the following months. Declared a pandemic by the World Health Organization in March, the novel coronavirus has caused many organizations to take drastic action to prevent the further spread of the dangerous contagion.

But for one specific group, the news of the virus was seen as an opportunity. Cyberattackers wasted little time in finding ways to exploit the coronavirus panic. Just as companies are being proactive about protecting their employees and customers from the virus, they also need to make sure they’re taking steps to protect their IT systems and data from a different kind of virus. One of the most inventive strategies being deployed by cyberattackers involves a form of malware that already has a rather notorious reputation: Emotet.

What is Emotet?

First identified by cybersecurity experts in 2014, Emotet began life as a banking Trojan malware that uses worming tactics to replicate itself across multiple connected systems. In its first iteration, the malware focused primarily on sneaking onto a computer specifically to steal private data. In the years since then, it has evolved to include spamming and malware delivery. Difficult to detect and remove, Emotet has been classified as one of the most costly and destructive forms of malware according to the US Department of Homeland Security.

Emotet has been known to target individuals, private companies, and governments to steal login credentials and financial data. Perhaps the most infamous attack occurred in February of 2018, when the city of Allentown, PA was forced to shut down many of its financial and public safety systems in response to the malware infection. An emergency response team from Microsoft managed to contain the virus, but it eventually cost the city approximately a million dollars to remove it and repair the damage. 

How Does Emotet Spread?

The Emotet virus is primarily distributed through email using a tactic known as malspam, which involves spam emails that contain malicious attachments or links. These emails are designed to look familiar to the recipient, often using branding assets or logos to appear more legitimate. PayPal receipts, order confirmations, collections notices, and (ironically) fraud alerts are all common forms of malspam. If the user opens or clicks on a download link, PDF, or macro-enabled document included with the message, the Emotet virus infects the user’s mail server and immediately begins scouring the associated contacts list and sending itself to other people. Since the email is coming from a contact, the recipient is more likely to trust the contents and click on infected files or download links, which sets off another transmission chain.

If the infected system is connected to a network, the Emotet malware quickly resorts to brute-force attacks to access secure files containing sensitive and private information. Newer incarnations of the virus are able to evade detection by anti-malware scans, even going into a hibernation state if it detects it’s operating in a sandbox environment.

Emotet and the Coronavirus

While there may not initially appear to be much of a link between the COVID-19 novel coronavirus and Emotet malware, it’s important to remember that any situation that raises public awareness and creates anxiety or fear presents an opportunity for cyberattackers. Since Emotet malware can adapt its message to whatever is most likely to attract a user’s attention, topical events like the coronavirus pandemic allow attackers to leverage the headlines to increase the malware’s effectiveness.

Kaspersky researchers first identified coronavirus-related Emotet files around the end of January, which was quickly confirmed by IBM’s “X-Force” threat intelligence team. Rather than presenting themselves as notifications or invoices, these malware attacks posed as public health announcements claiming to have information about ways to combat coronavirus infection.

The first wave of attacks targeted Japan, likely due to the country’s proximity to the virus’s origins in China. It was, however, an unlikely place for Emotet to strike given the fact that previous attacks focused on North America and Europe. The malspam campaign seems to have used legitimate emails that contain information about the coronavirus, which allowed cyberattackers to deliver believable spam without extensive knowledge of Japanese.

Cybersecurity in a Time of Coronavirus

As the coronavirus pandemic’s impact continues to grow, organizations and individuals alike need to be on guard against malicious cyberattacks and phishing scams seeking to capitalize on the resulting confusion and fear. While people should always avoid opening suspicious or unsolicited emails, they should apply extra scrutiny during a period when spamming attacks are more likely to occur. Strong spam filters and antivirus programs with automatic updates can help prevent malware like Emotet from finding its way into an unsuspecting user’s inbox.

Although the first wave of Emotet malware attacks focused on Japan, they will surely spread to other countries over the ensuing months. That’s why organizations need to prepare their incident response teams to contain and mitigate potential threats. Like with any email-based phishing attack that targets individuals within an organization, educating employees is perhaps more critical than any other step IT security managers can take.

If you need help implementing the best practices that can ensure business continuity for your organization and protect your employees from cyberthreats like Emotet, contact the Compuquip team today. Our cybersecurity engineers and solutions architects have the experience and knowledge you need to keep your company up and running in the face of today’s emerging cybersecurity risks.