Jump to content
Login new information ×
Giveaway Contest ×
Login new information
Giveaway Contest

Hope You're Using Protection as Love Letter MalSpam has Nasty Surprises

steven36

By steven36
in Security & Privacy News

Recommended Posts

steven36

steven36

Posted
Posted

It is almost February and love is in the air, but that doesn't mean you should open every love letter you receive. A large malspam campaign has been discovered that uses romantic and endearing email subjects to trick recipients into getting infected with ransomware, miners, and more.

 

6 bbe

 

The "Love Letter" campaign consists of emails that contains romantic and endearing subjects such as "Love You" and "This is my love letter to you". Attached to these emails are ZIP attachments such as Love_You_14473721-2019-txt.zip, which contain a JavaScript file with a similar name.

 

 


bdda

Love Letter Malspam

 

Common email subjects seen with this malspam campaign include:

 

Quote

I love you
You are my love!
Felt in love with you
There is Only Love
This is my love letter to you
Love
Love_You
Luv_You
Always thinking about you
Just for you!
My letter just for you
My love letter for you
Wrote this letter for you

 

The JavaScript files are obfuscated, but when executed will run a PowerShell command that downloads a malware named krablin.exe from slpsrgpsrhojifdij[.]ru and executes it.

 

executed command

Executed PowerShell Command

 

Once executed, the krablin.exe file will be copied to %UserProfile%\[number]\winsvcs.exe and attempt to download five other malware samples to the computer and execute them. According to ISC Handler Brad Duncan, this will result in a cocktail of malware that consists of the GandCrab Ransomware version 5.0.4, a Monero XMRig miner, and the Phorpiex spambot.

 

 

4 c 40

GandCrab 5.0.4 Install

 

Malspam continues to be a strong and widely used vector to distribute malware and users should always be suspicious of emails from strangers, especially ones with strange attachments. BleepingComputer recommends that users always scan attachments using a service like VirusTotal, and if you were not expecting an attachment, to contact the sender to confirm.

 

Source

 

 

Link to comment
Share on other sites
  • Replies 1
  • Views 495
  • Created
  • Last Reply
sam3971

sam3971

Posted
Posted

Lovely. Curious though, can one prevent this type of randomware if one is either blocking Powershell via software restriction or the win10 AppLocker option? I would think that would stump it from downloading anything.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...