The ‘Love Letter’ malspam campaign which was initially detected and analyzed on January 10, 2019, has now changed its target to Japan, doubling its volume with tens of thousands of malicious emails delivered every hour.
Researchers from ESET observed the new wave of the ‘Love Letter’ campaign on January 29, 2019, delivering a cocktail of malware.
This new wave of Love Letter campaign has changed its focus to Japan with ‘Japan-relevant’ email subjects instead of its initial ‘romantic-themed’ subjects. However, the heavy usage of smileys in both email subjects and body texts remains the same in both the campaigns.
GandCrab, Monero XMrig miner, Phorpiex spambot as final payloads
“The URLs hosting this payload have had paths ending with ‘bl*wj*b.exe’ (note: filename redacted) and “krabler.exe” and these payloads were downloaded to C:\Users\[username]\AppData\Local\Temp[random].exe”, ESET researchers explained in a blog.
This first-stage payload downloads a cocktail of final payloads such as GandCrab Ransomware version 5.1, a Monero XMRig miner, the Phorpiex spambot, and a system settings changer from the same C2 server.
The first-stage payload also downloads a language and locale-specific-downloader designed to download more payloads only if the language settings are set to China, Vietnam, South Korea, Japan, Turkey, Germany, Australia or the UK.
Researchers from ESET also noted that this campaign downloads malware from an Ukrainian IP address which has been used in the earlier ‘Love Letter’ campaign as well.