“Love you” Malspam Gets a Makeover for Massive Japan-targeted Campaign
(Jan 30, 2019)
Researchers from ESET discovered that a recent “Love You” malspam campaign has been modified to target users in Japan. The unknown threat actors used Japanese-relevant subject headers to entice users to open the email and extract the malicious .zip file in it. If a user opens the .zip folder, a JScript file will initiate the first-stage payload that downloads one or more final payloads: “GandCrab” ransomware, an unspecified cryptominer, “Phorpiex worm,” a system settings changer, and/or a locale-specific downloader that only downloads further payloads if the default language on an infected machine indicates the user is in Australia, China, Germany, Japan, South Korea, Turkey, the UK, or Vietnam.
Recommendation: Educate your employees on the risks of opening emails from unknown senders. In addition, as shown in this story, employees should also be cautious of opening or extracting suspicious attachments in emails, even if they appear to have been sent from within the company. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution and a business continuity plan in place for the unfortunate case of ransomware infection.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.