ESET researchers have detected a substantial new wave of the “Love you” malspam campaign, updated to target Japan and spread GandCrab 5.1
Based on our telemetry data, this latest “Love you” campaign was launched on January 28, 2019, almost doubling in size compared to the initial waves, as seen in Figure 1. Much like in mid-January, the spam emails distribute a cocktail of malicious payloads, with some updates: we have seen attempts to download a cryptominer, a system settings changer, a malicious downloader, the Phorpiex worm, and the infamous ransomware GandCrab version 5.1.
Attack scenario in the Japan-targeted campaign
In this latest campaign, the attackers have altered the messaging of the malicious emails, switching from the romantic theme of the initial mid-January “Love You” campaign to Japan-relevant topics. What has remained the same is the heavy use of smileys in both email subjects and body texts.
The emails we have seen during our analysis have the following subject lines:
- Yui Aragaki 😉
- Kyary Pamyu Pamyu 😉
- Kyoko Fukada 😉
- Yuriko Yoshitaka 😉
- Sheena Ringo ;)
- Misia 😉
(Note: These are all popular Japanese entertainers)
The malicious attachments in the analyzed emails are ZIP files masquerading as image files, with names in the format “PIC0-[9-digit-number]2019-jpg.zip”. Figure 3 shows examples of such malicious emails.
This first-stage payload downloads one or more of the following final payloads from the same C&C server:
- The GandCrab ransomware, version 5.1
- A cryptominer
- The Phorpiex worm
- A language-locale-specific downloader (set to download further payloads only if the language settings of the affected computer suggest the victim is located in China, Vietnam, South Korea, Japan, Turkey, Germany, Australia or the UK)
- A system settings changer
The 5.1 version of the GandCrab ransomware encrypts files and appends a random 5-character extension to their names. Ransom notes containing that extension in both their filenames and their contents are created in every affected folder.
The payloads in this updated campaign are downloaded from the IP address 92.63.197[.]153, which appears to be located in Ukraine, and has been used in the “Love you” campaign from its start in mid-January.
How to stay safe
To avoid falling victim to malicious spam, always verify the authenticity of emails before opening any attachments or clicking on links. If necessary, check with the organization seemingly sending the email using contact details provided on their official website.
Indicators of Compromise (IoCs)
Example hashes of malicious ZIP attachments
|ESET detection name: JS/Danger.ScriptAttachment|
|ESET detection name: JS/TrojanDownloader.Agent.SYW aka JS/TrojanDownloader.Nemucod.EDK|
Example hash of the first-stage payload
|ESET detection name: Win32/TrojanDownloader.Agent.EJN|
Example hashes of the final payloads
|Payload||SHA-1||ESET detection name|
|System settings changer||979CCEC1DF757DCF30576E56287FCAD606C7FD2C||Win32/Agent.VQU|
C&C server used in the campaign