Spam campaign “Love you” redirected to Japan

    Studying the fresh wave of spam in Russia , we noticed another attack. Since mid-January 2019, the famous “Love you” campaign has been refined and redirected to Japan, where it is used to distribute the GandCrab 5.1 encoder.

    According to telemetry, the latest version of “Love you” was launched on January 28, 2019, its activity was approximately twice as high as the initial one (see the chart below). As in mid-January, a set of malicious payloads is distributed with some updates using spam. So, we have seen attempts to download a cryptominer, software for changing system settings, a malicious bootloader, the Phorpiex worm, and the GandCrab version 5.1 encoder.

    Figure 1. Detection of malicious JavaScript attachments distributed in the “Love you” campaign and its latest wave .

    As of January 29, 2019, the overwhelming majority of detections are in Japan (95%), tens of thousands of malicious emails are detected every hour. On the same day, JS / Danger.ScriptAttachment (according to the ESET classification - malicious JavaScript distributed via email attachments) was the fourth-largest threat in the world and # 1 threat in Japan (see below).

    Figure 2. JS / Danger.Script Attachment was the # 1 threat in Japan as of January 29

    Attack scenario

    In the last campaign, the attackers changed the texts of the mailings, moving from “Love You” in the subject line to headings related to Japan. Many smiles remain in the subject and body of the letter.

    Topics of the letters that we saw during the analysis:

    - Yui Aragaki;)
    - Kyary Pamyu Pamyu;)
    - Kyoko Fukada;)
    - Yuriko Yoshitaka;)
    - Sheena Ringo;)
    - Misia;)
    (Japanese stars of show business)

    Studied malicious attachments These are ZIP archives disguised as images with PIC0- [9-digit-number] format names. The figure below shows examples of such letters.

    Figure 3. Examples of spam letters from the “Japanese” campaign

    The ZIP archive contains a JavaScript file with the name in the same format, but ending only in .js. After extracting and running, JavaScript loads the payload of the first stage from the attacker's C & C server — an EXE file detected by ESET products as Win32 / TrojanDownloader.Agent.EJN. URLs that host this payload have a path ending in bl * wj * b.exe (the file name is changed) and krabler.exe; This payload is loaded into C: \ Users \ [username] \ AppData \ Local \ Temp [random] .exe.

    The first stage payload downloads one of the following final payloads from the same C & C server:

    - GandCrab version 5.1 encoder
    - crypto liner
    - Phorpiex worm
    - loader, working in accordance with the language settings (downloads the payload only if the language settings of the infected computer correspond to China, Vietnam, South Korea, Japan, Turkey, Germany, Australia or the UK)
    - software to change the system settings

    GandCrab 5.1 encrypts files, adding a random extension of five characters to their names. Redemption claims that contain this extension in file names and their contents are created in each folder affected by the encryptor.

    Figure 4. GandCrab v5.1 buyout requirement.

    The payload of this campaign is downloaded from IP address 92.63.197 [.] 153, the geolocation of which corresponds to Ukraine. The address has been used in the “Love you” campaign since mid-January.

    Indicators of compromise

    Examples hashes malicious attachments ZIP Detection ESET: JS / Danger.ScriptAttachment Examples JavaScript downloaders hashes Detection ESET: JS / TrojanDownloader.Agent.SYW or JS / TrojanDownloader.Nemucod.EDK Examples payload hashes first phase detection ESET: Win32 / TrojanDownloader.Agent. EJN Examples hashes final payload encoder GandCrab Win32 / Filecoder.GandCrab.E Kriptomayner Win32 / CoinMiner.BEX worm Phorpiex Win32 / Phorpiex.J loader Win32 / TrojanDownloader.Agent.EEQ software to change the system settings Win32 / Agent.VQU C & C-server, used in the campaign





    Also popular now: