“Love You” Email Malspam Campaign

An Incident Storm Center (ISC) Handler published an in-depth analysis of a malspam email campaign that he encountered. The emails had subject lines about love letters and had a zip attachment with a name starting with “Love_You_”. The zip file, when uncompressed, contained a JavaScript file that, upon execution, performed several HTTP requests to download additional malicious executables.

These executables were a Monero cryptocurrency miner, Phorpiex spambot malware, and GandCrab ransomware. The Phorpiex spambot malware caused the victim host to be joined to a botnet and begin emailing out copies of the malicious zip file to additional targets. Meanwhile the victim host was infected with ransomware and leveraged to mine cryptocurrency.

Indicators of Compromise

Domains

  • slpsrgpsrhojifdij.ru
  • osheoufhusheoghuesd.ru
  • suieiusiueiuiuushgf.ru
  • www.2mmotorsport.biz
  • www.haargenau.biz
  • www.bizziniinfissi.com
  • www.holzbock.biz
  • www.fliptray.biz
  • gandcrabmfe6mnef.onion

IP

  • 92.63.197.48
  • 198.105.244.228
  • 78.46.77.98
  • 217.26.53.161
  • 74.220.215.73
  • 136.243.13.215
  • 138.201.162.99

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: