Love you malware changes tactics as it targets Japan and spreads the ransomware Gandcrab 5.1. Malspam campaign, “Love you,” named after its attachment’s subject title, has a known affiliation with the Phorpiex botnet. The emails stated the attachments were love letters which in fact carried the Gandcrab ransomware into devices to deploy and encrypt files. Other tools used include cryptocurrency miner and a Monero (XMRig).
The effects of Love You
Love You uses zipped .js files in its mail attachments sent to victims in Japan. Other examples of how malspam campaigns are deployed can be found here, as well as the deployment of Gandcrab. When it came to the stage of encrypting files, the payload downloaded from URLs to the admin temp folder. It then used another set of payloads to mix with GandCrab. A Cryptominer also combined with the Phorpiex worm. Version 5.1 of the GandCrab ransomware not only encrypts the files but also designates five- character extensions in victims’ names. Ransom notes send thereafter with this unique reference.
The patterns observed by ESET’s Juraj Jánošík mirrored patterns of the Phorpiex botnet malspam. In addition, the campaign delivered malicious emails in its tens of thousands per hour.
This is not the first time Love You has sent this campaign, especially in Japan. The difference, however, was with previous emails, victims were targeted pertaining to relevant topics.
The latest set of emails instead use famous Japanese entertainers’ names followed by a smiley in the title. ESET also observed payloads traced back to Ukrainian IP addresses.
With Valentines approaching it is no coincidence the hackers are using a love letter theme. Users should, therefore, be extra vigilent when viewing emails and avoid clicking unknown attachments. Training staff will allow for easy detection as well as verifying the authenticity of emails before opening them are crucial.