Multiple malware distributed in ‘Love Letter’ malspam campaign targeting Japan

• The ‘Love Letter’ malspam campaign has changed its target to Japan and has doubled the volume of malicious emails it delivered.
• This malspam campaign distributes a cocktail of malware consisting of GandCrab Ransomware version 5.1, a Monero XMRig miner, and the Phorpiex spambot.

The ‘Love Letter’ malspam campaign which was initially detected and analyzed on January 10, 2019, has now changed its target to Japan, doubling its volume with tens of thousands of malicious emails delivered every hour.

Researchers from ESET observed the new wave of the ‘Love Letter’ campaign on January 29, 2019, delivering a cocktail of malware.

Japan-themed emails

This new wave of Love Letter campaign has changed its focus to Japan with ‘Japan-relevant’ email subjects instead of its initial ‘romantic-themed’ subjects. However, the heavy usage of smileys in both email subjects and body texts remains the same in both the campaigns.

This malspam campaign uses names of popular Japanese entertainers followed by smileys in the email subjects and delivers zipped malicious JavaScript files disguised as images using the ‘PIC0-[9-digit-number]2019-jpg.zip format’.

GandCrab, Monero XMrig miner, Phorpiex spambot as final payloads

Once extracted and launched, the malicious JavaScript file downloads the first-stage payload from the attackers’ C2 server, an EXE file detected by ESET products as ‘Win32/TrojanDownloader.Agent.EJN’.

“The URLs hosting this payload have had paths ending with ‘bl*wj*b.exe’ (note: filename redacted) and “krabler.exe” and these payloads were downloaded to C:\Users\[username]\AppData\Local\Temp[random].exe”, ESET researchers explained in a blog.

This first-stage payload downloads a cocktail of final payloads such as GandCrab Ransomware version 5.1, a Monero XMRig miner, the Phorpiex spambot, and a system settings changer from the same C2 server.

The first-stage payload also downloads a language and locale-specific-downloader designed to download more payloads only if the language settings are set to China, Vietnam, South Korea, Japan, Turkey, Germany, Australia or the UK.

Researchers from ESET also noted that this campaign downloads malware from an Ukrainian IP address which has been used in the earlier ‘Love Letter’ campaign as well.

Researchers’ recommendations

• Researchers recommend users to exercise caution while opening any email or attachments from anonymous senders.
• They suggest verifying the authenticity of the emails before opening any attachments.
• They further recommend to not open any email or attachments from unknown senders and contact the organization regarding the email.