"Love you" malspam campaign has been modified to target Japan

by Gabriel E. Hall - -

“Love letter” spam campaign returns just before Valentine's Day

Love you malspam campaign targets Japan

“Love Letter” spam campaign is based on phishing tactics that include emails from malicious actors filled with different kinds of malware. The campaign typically reaches its peak around February, just before Valentine's day.[1] However, this time, instead of targeting users worldwide, the “Love you” spam campaign has been set against Japan and is used to spread an infamous Gandcrab 5.1. 

The campaign was discovered by researchers at ESET in mid-January 2019. As Juraj Jánošík has said in his report,[2] the “Love you” malspam has already become one of the most active threats worldwide. Also, it takes the fourth place in the list of most detected threats all over the world as the campaign consists of thousands of malicious emails filled with zipped JavaScript files.

The spam email campaign that targets Japanese users

After using fake emails from dating websites and similar spam which are written in English, malicious actors who are responsible for this campaign decided to tailor the contents of their emails for a specific target – Japanese victims. While trying to trick their potential victims, they filled the subject line with names of the popular Japanese entertainers and emojis.

Emails from this malspam campaign contain these subject lines:

  • 😀
  • Yui Aragaki 😉
  • Yuriko Yoshitaka 😉
  • Sheena Ringo 😉
  • Misia 😉
  • Kyary Pamyu Pamyu 😉
  • Kyoko Fukada 😉

The email itself is not delivering any message and contains only the emoji and an attached zip file. The malicious JavaScript code is typically hidden in this file which is named in a pattern “PICo-[9 digit number]2019-jpg.zip.”

According to the analysis, the attachment launches the download of the main malware payload. The virus is downloaded from the attacker's C&C server[3] and is using paths bl*wj*b.exe or krabler.exe. These components are downloaded to a folder on the system and saved using the pattern – Temp[random].exe.  

The first stage – infiltration, second – installation of malware cocktail including GandCrab 5.1

When the attacker's C&C server is accessed, the system is infected with even more malware. Final payloads downloaded from the server include:

  • GandCrab 5.1 ransomware;[4]
  • A cryptojacking malware; 
  • Phorpiex worm;
  • A system setting modifier;
  • Further malware selected according to the victim's location. 

During the previous campaigns, the main virus that was spread with the help of Love letter spam was Monero XMRig miner. During this new campaign, there is only a minor possibility that the same trojan can be delivered to the system. 

However, the most prominent and dangerous malware distributed as the final payload in this “Love you” spam campaign is GandrCrab 5.1 ransomware. When the 5.1 version of GandCrab ransomware is downloaded on the system, it encrypts files and appends the random 5-character extension. Additionally, the virus requires sending a specific ransom to its developers in exchange for the Gandcrab decypter.

This particular ransomware family has been raising attention in the cybersecurity industry because of its presence. According to the recent news, the virus has been actively spreading around together with info stealers and similar malware that can even be rented for special attacks.[5]  

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References