Attackers are now taking advantage of Middle East Respiratory Syndrome (MERS) reports in South Korea for their own cyberattack campaigns. Symantec has observed attackers spreading MERS-themed emails in order to compromise their targets’ computers with Trojan.Swort.
Middle East Respiratory Syndrome is an illness that affects the respiratory system and has a mortality rate that’s close to 40 percent. In the last few weeks, it has been reported that there are now more than 100 MERS cases in South Korea. An additional 2,000 people in South Korea are reportedly under quarantine.
In the midst of this uphill battle against the disease, Symantec Security Response recently came across a malware campaign that took advantage of the MERS outbreak to attract the attention of its targets. A few days ago, Symantec gathered a malicious sample from external sources. The malware appears to have been spread through emails and is a simple .exe file that poses as a Microsoft Word document. The file name is written in Korean and translates as “MERS_List of hospital and infected patient.docx.exe”.
Figure 1. File name of the malicious sample, translating to “MERS_List of hospital and infected patient.docx.exe”
During our analysis of the sample, we confirmed that it’s not a sophisticated threat. Instead, it’s a simple downloader that we detect as Trojan.Swort. Our research found that the remote host which the malware is configured to connect to is not responding.
This isn’t the first time that attackers have used disease outbreaks as themes in their campaigns. Last year, attackers used the theme of the Ebola virus as bait to spread malware. Attackers have historically used major news stories as themes for their campaigns in attempts to trick targets into opening malicious attachments or links. They may use local news themes as bait when targeting a particular region.
However, MERS is quickly becoming a global concern, considering its reported spread to other Asian countries. In light of this, we would like to warn the public that there will be more cyberattacks piggybacking on the incident through spam emails, phishing, and spear-phishing attacks.
Symantec advises all users to be on guard for unsolicited, unexpected, or suspicious emails. If you are not sure of the email’s legitimacy, then avoid clicking on links or opening attachments in the message.