Hope You’re Using Protection as Love Letter MalSpam has Nasty Surprises

Broken Heart

It is almost February and love is in the air, but that doesn’t mean you should open every love letter you receive. A large malspam campaign has been discovered that uses romantic and endearing email subjects to trick recipients into getting infected with ransomware, miners, and more.

The “Love Letter” campaign consists of emails that contains romantic and endearing subjects such as “Love You” and “This is my love letter to you”. Attached to these emails are ZIP attachments such as, which contain a JavaScript file with a similar name.

Love Letter Malspam
Love Letter Malspam

Common email subjects seen with this malspam campaign include:

I love you
My letter just for you
Please read and Reply
Wrote this letter for you
Just for you!
This is my love letter to you
My love letter for you
Wrote my thoughts down about you
Wrote the fantasy about us down
Felt in love with you!
Always thinking about you
You are my love!

The JavaScript files are obfuscated, but when executed will run a PowerShell command that downloads a malware named krablin.exe from slpsrgpsrhojifdij[.]ru and executes it.

Executed PowerShell Command
Executed PowerShell Command

Once executed, the krablin.exe file will be copied to %UserProfile%[number]winsvcs.exe and attempt to download five other malware samples to the computer and execute them. According to ISC Handler Brad Duncan, this will result in a cocktail of malware that consists of the GandCrab Ransomware version 5.0.4, a Monero XMRig miner, and the Phorpiex spambot.

GandCrab 5.0.4 Install
GandCrab 5.0.4 Install

Malspam continues to be a strong and widely used vector to distribute malware and users should always be suspicious of emails from strangers, especially ones with strange attachments. internetnewsblog recommends that users always scan attachments using a service like VirusTotal, and if you were not expecting an attachment, to contact the sender to confirm.

Update 1/14/19 8:14 PM EST:

Updated list of subjects from information Sev, a Security Researcher in the Emerging Threats team at ProofPoint, who has been tracking the Phorpiex spambot for some time.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top