top of page
  • Writer's picture Avantia Threat Update


Updated: Feb 7, 2020

Critical Information about Trojan Malware hiding in Health Info about Coronavirus.


Security researchers have discovered that some cybercriminals are taking advantage of the Coronavirus to send people fake messages containing Emotet malware. Hackers are spreading the Emotet Trojan through emails meant to confuse people to believe it’s related to the Coronavirus that broke out in China in December last year. The Emotet Trojan has seen increased activity in recent times.

The Emotet banking  Trojan was first identified by security researchers in 2014. Emotet was originally designed as a banking Malware that attempted to sneak onto your computer and steal sensitive and private information. Later versions of the software saw the addition of spamming and malware delivery services—including other banking Trojans. Emotet uses functionality that helps the software evade detection by some anti-malware products. Emotet uses Worm-Like capabilities to help spread to other connected computers. This helps in distribution of the malware. This functionality has led the Department of Homeland Security in the USA to conclude that Emotet is one of the most costly and destructive malware infections, affecting Government and Private Sectors, Individuals and Organisations.

IBM discovered an email that showed cybercriminals were sending emails to people in Japan to disguise as disability welfare service providers in Japan. The content of the email revealed that there are reports of patients with the coronavirus in Osaka, Tottori, and Gifu prefectures in Japan. It further urged victims to open an attached file containing the message, but in essence, the message contains the Emotet Trojan.

Once the readers click on the attached Microsoft word file, their system is infected with the Trojan. The messages are highly treacherous because they were designed to look just like government emails with real emails, phone numbers, and addresses - a common practice by cybercriminals Whenever there is a worldwide event or a trending issue, cybercriminals usually take advantage of the situation to perpetuate their attack on systems. Most times they camouflage their malicious emails with the important topic, claiming to come from a genuine source.

Potential fallout could include:

  • Theft of Personally Identifiably Information (PII) which could lead to Identity Theft.

  • Stolen financial information which could later lead to extortion

  • If a business, stolen proprietary information which could be held for ransom

  • Critical Credential (Username/Password) theft leading to other accounts and passwords becoming vulmerable

  • Theft of locally stored Cryptocurrency wallet

  • Protracted remediation times for Network Admins

  • Loss of productivity for Users where endpoints (laptops etc) must be taken off the network.

Some are attaching .docx, .mp4, and .pdf files to the emails designed to deceive people they have an important message regarding the prevention of coronavirus. The purported email claims to contain information that would help protect the user against the virus. It also claims to have updates on the virus and even procedures for detecting the disease.

The strategy has been paying off for some of them because they can easily trick victims into believing the message since it looks genuine. According to IBM researchers, the attackers have mastered their act to the extent of using legitimate emails and phone numbers to make users believe they are real. IBM researchers said that these attackers make everything look real but the only difference is they rather attached Emotet Trojan along with the mail. They urge the reader to open the attached file for instructions or tips on the prevention and control of the virus. As soon as the user agrees to their bidding, they have just given an open invitation to the Trojan. Security researchers have seen other emails by cybercriminals spreading the Emotet Trojan by camouflaging using the coronavirus message. According to the researchers, the cyber attackers also used the same framework by urging people to click on the attached file.

According to Malware analyst, Anton Ivanov, the coronavirus has already been used by cybercriminals as bait to lure victims and infect their systems with malware. So far, Ivanov said the security firm has discovered 10 of such files. He said as the coronavirus news has gone global and still present, the fake news trend that infiltrates malware may continue. And as people get concerned over their health, there is always going to be those who would take advantage of the situation for their selfish and criminal gains, said Ivanov.

IBM researchers said that this type of attack is more likely to succeed because of the significance of the topic surrounding the email. The many fears people have about the spread of the virus will lead them to follow the cybercriminal’s request without thinking twice. Even those who are skeptical would still fall victim because they believe any important information about their health and safety should not be neglected. Apart from events that create fear, cybercriminals have also used positive events to lure their victims. Recently, they used the climate change movement by Greta Thunberg to send malicious messages to unsuspecting victims. Most times they use events with global coverage and wider reach to deceive their unfortunate victims into believing the message is genuine and legitimate. Proofpoint’s research director, Sherrod DeGrippo, pointed out that cybercriminals understand that many people would have an interest in globally trending issues like Greta Thunberg and the coronavirus. He said the most victims of this cyber attack are from Asia because people are more afraid of the virus in the region.


(1) Don't click on any links or open any files that are attached to an Email about the Corona Virus. If a business, tell all your staff about this Threat.

(2) Sign up for our Weekly Threat briefing (HERE) to keep up to date with serious cyber threats - ITS FREE

(3) If a business, contact Avantia for a Quote for our Staff Training and/or Cyber Audit to determine your level of vulnerability.

(4) Call Avantia Cyber Security on 07 30109711 for more information.



Avantia Corporate Services Pty Ltd T/A Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach and cyber security information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.

*COPYRIGHT 2020* Avantia Corporate Services - All Rights Reserved.

bottom of page