Love Letter Email Scam Delivers Cocktail of Malware

A new email campaign is being conducted in the run up to Valentine’s Day which attempts to get users to open email attachments by fooling them into thinking they are love letters. The love letter email scam includes enticing subject lines such as ‘Love Letter’, ‘I Love You’, ‘This is my love letter to you’, ‘Always thinking about you’, and other love and love letter themes.

These types of scams are common in the run up to Valentine’s Day, and as the day draws closer, the likelihood of the scams succeeding grows.

The emails contain a zip file containing a JavaScript file with a variety of names, all of which start with Love_You. Extracting and running the file will result in the download of ransomware and other malware variants.

If the JavaScript file is run, it launches a PowerShell command that downloads and runs a malware variant named krablin.exe. Krablin.exe is also copied to USB thumb drives that are plugged into the computer.

A further four malware variants are subsequently downloaded to the victim’s device: The Phorpiex spambot, a Monero cryptocurrency miner (XMRig), a further malware downloader, and the latest version of GandCrab ransomware: A particularly nasty combination of malware.

The malspam campaign was detected by SANS ISC researcher Brad Duncan who determined the campaign has been running since at least November 2018. Several different subject lines and attachments have been identified and multiple spoofed sending addresses are used in this campaign.

Word documents and Excel spreadsheets containing malicious macros are more commonly used to spread malware, although JavaScript based malspam is nothing new. Most individuals are not familiar with .js files so may choose not to open them, although the theme of this love letter email scam may tempt people into making an exception. JavaScript malware may also be executed by Windows, without the user having to open the file. Simply saving a JavaScript file may be all that is required to trigger the infection process.

To prevent email scams such as this from succeeding, businesses should ensure that their employees receive ongoing security awareness training. Regular email security alerts should be sent to the workforce to keep them abreast of the latest techniques that are being used by scammers to install malware and phish for sensitive information.

It is also essential for an advanced spam filter to be implemented. This will ensure the majority of malicious messages are blocked and not delivered to end users. SpamTitan scans all incoming and outgoing messages and uses a variety of techniques to identify spam and malicious messages. Those controls ensure a block rate in excess of 99.9%, while dual antivirus engines provide total protection against all known malware variants.

SpamTitan is available on a free trial with options to suit all businesses and managed service providers. For further information, to register for the no-obligation free trial, or to book a product demonstration, contact TitanHQ today.