“Love letter” spam campaign returns just before Valentine's Day
“Love Letter” spam campaign is based on phishing tactics that include emails from malicious actors filled with different kinds of malware. The campaign typically reaches its peak around February, just before Valentine's day. However, this time, instead of targeting users worldwide, the “Love you” spam campaign has been set against Japan and is used to spread an infamous Gandcrab 5.1.
The spam email campaign that targets Japanese users
After using fake emails from dating websites and similar spam which are written in English, malicious actors who are responsible for this campaign decided to tailor the contents of their emails for a specific target – Japanese victims. While trying to trick their potential victims, they filled the subject line with names of the popular Japanese entertainers and emojis.
Emails from this malspam campaign contain these subject lines:
- Yui Aragaki 😉
- Yuriko Yoshitaka 😉
- Sheena Ringo 😉
- Misia 😉
- Kyary Pamyu Pamyu 😉
- Kyoko Fukada 😉
According to the analysis, the attachment launches the download of the main malware payload. The virus is downloaded from the attacker's C&C server and is using paths bl*wj*b.exe or krabler.exe. These components are downloaded to a folder on the system and saved using the pattern – Temp[random].exe.
The first stage – infiltration, second – installation of malware cocktail including GandCrab 5.1
When the attacker's C&C server is accessed, the system is infected with even more malware. Final payloads downloaded from the server include:
- GandCrab 5.1 ransomware;
- A cryptojacking malware;
- Phorpiex worm;
- A system setting modifier;
- Further malware selected according to the victim's location.
During the previous campaigns, the main virus that was spread with the help of Love letter spam was Monero XMRig miner. During this new campaign, there is only a minor possibility that the same trojan can be delivered to the system.
However, the most prominent and dangerous malware distributed as the final payload in this “Love you” spam campaign is GandrCrab 5.1 ransomware. When the 5.1 version of GandCrab ransomware is downloaded on the system, it encrypts files and appends the random 5-character extension. Additionally, the virus requires sending a specific ransom to its developers in exchange for the Gandcrab decypter.
This particular ransomware family has been raising attention in the cybersecurity industry because of its presence. According to the recent news, the virus has been actively spreading around together with info stealers and similar malware that can even be rented for special attacks.