It is almost February and love is in the air, but that doesn't mean you should open every love letter you receive. A large malspam campaign has been discovered that uses romantic and endearing email subjects to trick recipients into getting infected with ransomware, miners, and more.
The "Love Letter" campaign consists of emails that contain romantic and endearing subjects such as "Love You" and "This is my love letter to you". Attached to these emails are ZIP attachments such as Love_You_14473721-2019-txt.zip, which contain a JavaScript file with a similar name.
Love Letter MalspamCommon email subjects seen with this malspam campaign include:
• I love you
• You are my love!
• Felt in love with you
• There is Only Love
• This is my love letter to you
• Love
• Love_You
• Luv_You
• Always thinking about you
• Just for you!
• My letter just for you
• My love letter for you
• Wrote this letter for you
The JavaScript files are obfuscated, but when executed will run a PowerShell command that downloads a malware named krablin.exe from slpsrgpsrhojifdij[.]ru and executes it.
Executed PowerShell CommandOnce executed, the krablin.exe file will be copied to %UserProfile%\[number]\winsvcs.exe and attempt to download five other malware samples to the computer and execute them. According to ISC Handler Brad Duncan, this will
result in a cocktail of malware that consists of the GandCrab Ransomware version 5.0.4, a Monero XMRig miner, and the Phorpiex spambot.
GandCrab 5.0.4 InstallMalspam continues to be a strong and widely used vector to distribute malware and users should always be suspicious of emails from strangers, especially ones with strange attachments. BleepingComputer recommends that users always scan attachments using a service like
VirusTotal and if you were not expecting an attachment, to contact the sender to confirm.
source
