Emotet, the highly prolific and sophisticated botnet, has recently started using email templates posing as a Kyoto Coronavirus notification. The templates are used to send malicious email messages from infected computers to spread the botnet. The email messages contain malware in attached or linked Microsoft Office files. When recipients open files containing the malware and enable content in a malicious document file, Emotet infects the computer and uses that access to install more malware. While the template is entirely in Japanese, the template asks the user to view a notification relating to the Coronavirus. Additionally, the email contains information relating to the Coronavirus and symptom identification in order to lend credence to the “notification.” As the situation develops, Binary Defense will keep an eye out for any English coronavirus templates.
While Emotet does spoof the “From:” and “To:” entries of email headers, they cannot spoof the email address that the email originates from. Always make sure that the “From:” section and the from email address match up. Emotet includes modules for spreading from one infected computer to others on the network. The best defense strategy for combatting Emotet is to quickly detect signs of infection on workstations and servers using Endpoint Detection and Response tools. Quickly responding to detected threats by isolating the computer from the rest of the network not only cuts off the attacker’s ability to install more malware but also keeps other computers on the network from being affected, preventing a minor incident from becoming a major problem.