It is almost February and love is in the air, but that doesn’t mean you should open every love letter you receive. A large malspam campaign has been discovered that uses romantic and endearing email subjects to trick recipients into getting infected with ransomware, miners, and more.
Common email subjects seen with this malspam campaign include:
:) ;) :D I love you My letter just for you Please read and Reply Wrote this letter for you Just for you! This is my love letter to you My love letter for you Wrote my thoughts down about you Wrote the fantasy about us down Felt in love with you! Always thinking about you You are my love!
Once executed, the krablin.exe file will be copied to %UserProfile%[number]winsvcs.exe and attempt to download five other malware samples to the computer and execute them. According to ISC Handler Brad Duncan, this will result in a cocktail of malware that consists of the GandCrab Ransomware version 5.0.4, a Monero XMRig miner, and the Phorpiex spambot.
Malspam continues to be a strong and widely used vector to distribute malware and users should always be suspicious of emails from strangers, especially ones with strange attachments. internetnewsblog recommends that users always scan attachments using a service like VirusTotal, and if you were not expecting an attachment, to contact the sender to confirm.
Update 1/14/19 8:14 PM EST:
Updated list of subjects from information Sev, a Security Researcher in the Emerging Threats team at ProofPoint, who has been tracking the Phorpiex spambot for some time.