Skip to main content

How cybercriminals used Covid-19-themed spam to spread dangerous Emotet malware

(Image credit: Photo Credit:

Cybercriminals are exploiting the fear and uncertainty surrounding Covid-19 to wage attacks against enterprises. Across the world, threat actors are using time-tested Emotet malware to carry out Covid-19 themed campaigns against unsuspecting victims. Over the past several months Akamai has observed high volumes of Emotet traffic associated with Covid-19 spam emails. In this article, I’ll explain how Emotet works and provide some tips for defending against it.

A brief overview of Emotet

Emotet, also known as Geodo and Mealybug, is one of the most pervasive forms of malware. First identified in 2014, the virus was originally aimed at the financial services community, and acted as a Trojan that attempted to steal banking or credit card account credentials from compromised hosts. Emotet operators subsequently extended the Trojan to include spamming and malware delivery services.

Emotet is one of the most costly and destructive strains of malware. It can evade signature-based detection tools and uses worm-like capabilities to quickly spread across a network, wreaking havoc.  According to the U.S. Department of Homeland Security, Emotet infections cost state and local governments in the U.S. up to $1 million per incident to remediate.

Emotet typically functions as a downloader or dropper of other malware. Contemporary Emotet infections usually originate as a phishing email containing an attachment or a legitimate-looking URL. When the victim opens the attachment or clicks on the link, they unwittingly execute a macro that downloads the virus payload from command and control (CNC) servers operated by the attackers.  Once downloaded, Emotet establishes a presence on the host computer and attempts to propagate the local network via spreader modules.

As soon as Emotet operators gain a foothold in a network, they often sell access to infected computers to other cybercriminals as part of Malware-as-a-Service (MaaS) or Cybercrime as a Service (CaaS) schemes. MaaS/CaaS “customers” then implant other malware, such as TrickBot, which can be used to steal confidential data and spread Ryuk ransomware, as part of a so-called Triple Threat attack.

Capitalising on coronavirus fears

Cybercriminals have carried out a number of Covid-19 themed Emotet campaigns over the past several months as the virus has spread across the globe. The operators typically use phishing emails disguised to look like they are from official sources, such as the U.S. Centres for Disease Control.

It is often the case the perpetrator instructs the reader to click on a link to learn about new Covid-19 cases in their area. The URL will look authentic, but when the victim clicks on it, malware is downloaded to their computer.

The anatomy of an Emotet attack

Let’s take a look at an Emotet attack in more detail. A typical attack unfolds in four distinct stages:

Stage 1 – The malicious macro.

Most Emotet infections begin with a social engineering attempt. After opening the attachment with disabled macros, the victim is usually presented an image containing instructions like:

This document is protected. This document is only available for desktop or laptop versions of Microsoft Office Word.

To open the document, follow these steps:

Click the enable editing button from the yellow bar above.

Once you have enabled editing, please click the enable content button from the yellow bar above.

The document typically contains forms and single-function modules, which are used to obfuscate a PowerShell script that is used to compromise the victim’s computer. Due to the potential random layout, it is difficult to come up with rules to proactively mitigate the attack using signature-based detection tools.

Stage 2 – The dropped PowerShell script.

Once downloaded, the obfuscated PowerShell script cycles through a list of CNC domain names and tries to download the next stage of the attack to the victim’s computer, more specifically to C:\windows\temp\putty.exe.

Stage 3 – Returning the payload.

If the download succeeds, the downloaded file is executed. If an error occurs, the next URL is tried. If all of the URLs fail, the script terminates, and the victim’s device remains unaffected. Generally, the visited site simply returns the payload.

Stage 4 – The binary.

Once the downloaded file is executed the victim’s computer is infected.

Defending Against Emotet and other Malware Attacks

Here are some basic precautions you can take to help strengthen your company’s security posture and look to protect your business against Emotet and other malware attacks:

  • Educate your user community.  Provide security awareness training to your users. Instruct users to be on guard for Covid-19 related scams and to be wary of emails from unknown senders, especially emails containing attachments or links.
  • Perform security audits and penetration tests.  Re-examine your enterprise security architecture, systems and practices. Conduct pen tests to simulate attacks, identify gaps and vulnerabilities, and shore up your defences. Proactively hunt threats and search for suspicious behaviour.
  • Update your cybersecurity preparedness plan. Review your security readiness plan. Be sure you have adequate business continuity and disaster recovery plans in place to keep critical systems up and running in the event of an attack. Keep cybersecurity insurance up-to-date.
  • Take a fresh look at your backup strategy. Sophisticated malware attacks can delete or encrypt backup files, hampering recovery efforts. Introduce a multilayer backup strategy using cloud storage, offline backup or immutable storage to protect your backups against malicious attacks.
  • Prevent Emotet and dropper communications. Limit unnecessary lateral communications.  Segment and segregate physical and virtual networks and functions across the enterprise.
  • Disable local admin accounts. Attackers can use compromised privileged account credentials to move laterally across your network and steal data or inflict damage. Mitigate risk by adhering to the principle of least privilege and disabling local admin accounts.
  • Deploy the latest updates and patches. Make sure all endpoint operating systems and applications are running the latest software updates and security patches.
  • Implement email content scanning tools. Use email content filters or sandboxing to block or quarantine attachments commonly associated with malware (.dll and .exe files) or files that can’t be scanned by antivirus software (.e.g. .zip files).

Times of crisis create opportunities for bad actors. While workers around the world are furloughed, cybercriminals are busy plotting their next attack. Covid-19 themed attacks can wreak havoc on your business, at a time when many companies are already struggling and vulnerable. IT security leaders must remain vigilant. By taking a proactive approach to cybersecurity – continuously monitoring the threat landscape, and evaluating and improving your security systems and practices – you can stay one step ahead of the bad guys and protect your business.

Gerhard Giese, Industry Strategist, Akamai Technologies (opens in new tab)

Gerhard Giese, Industry Strategist at Akamai Technologies.