The ‘Love Letter’ malspam campaign which was initially detected and analyzed on January 10, 2019, has now changed its target to Japan, doubling its volume with tens of thousands of malicious emails delivered every hour.
Researchers from ESET observed the new wave of the ‘Love Letter’ campaign on January 29, 2019, delivering a cocktail of malware.
Japan-themed emails
This new wave of Love Letter campaign has changed its focus to Japan with ‘Japan-relevant’ email subjects instead of its initial ‘romantic-themed’ subjects. However, the heavy usage of smileys in both email subjects and body texts remains the same in both the campaigns.
This malspam campaign uses names of popular Japanese entertainers followed by smileys in the email subjects and delivers zipped malicious JavaScript files disguised as images using the ‘PIC0-[9-digit-number]2019-jpg.zip format’.
GandCrab, Monero XMrig miner, Phorpiex spambot as final payloads
Once extracted and launched, the malicious JavaScript file downloads the first-stage payload from the attackers’ C2 server, an EXE file detected by ESET products as ‘Win32/TrojanDownloader.Agent.EJN’.
“The URLs hosting this payload have had paths ending with ‘bl*wj*b.exe’ (note: filename redacted) and “krabler.exe” and these payloads were downloaded to C:\Users\[username]\AppData\Local\Temp[random].exe”, ESET researchers explained in a blog.
This first-stage payload downloads a cocktail of final payloads such as GandCrab Ransomware version 5.1, a Monero XMRig miner, the Phorpiex spambot, and a system settings changer from the same C2 server.
The first-stage payload also downloads a language and locale-specific-downloader designed to download more payloads only if the language settings are set to China, Vietnam, South Korea, Japan, Turkey, Germany, Australia or the UK.
Researchers from ESET also noted that this campaign downloads malware from an Ukrainian IP address which has been used in the earlier ‘Love Letter’ campaign as well.
Researchers’ recommendations
Publisher