“Love you” malspam gets a makeover for massive Japan‑targeted campaign non vbv fullz, mmn meaning credit card

ESET researchers have detected a substantial new wave of the “Love you” malspam campaign, updated to target Japan and spread GandCrab 5.1
While finishing our analysis on a recent surge in malicious spam targeting Russia , we noticed another, unrelated, JavaScript-fueled campaign reaching new heights in our telemetry. Apparently, the “Love You” malspam campaign from mid-January 2019 has been modified, focusing on Japan.
Based on our telemetry data, this latest “Love you” campaign was launched on January 28, 2019, almost doubling in size compared to the initial waves, as seen in Figure 1. Much like in mid-January, the spam emails distribute a cocktail of malicious payloads, with some updates: we have seen attempts to download a cryptominer, a system settings changer, a malicious downloader, the Phorpiex worm, and the infamous ransomware GandCrab version 5.1.
As of January 29, 2019, the vast majority of the detections are in Japan (95%), with tens of thousands of malicious emails detected every hour. On the same day, JS/Danger.ScriptAttachment – the ESET name for malicious JavaScript distributed via email attachments – was the fourth-most-detected threat worldwide and the number one threat in Japan, as seen in Figure 2.
In this latest campaign, the attackers have altered the messaging of the malicious emails, switching from the romantic theme of the initial mid-January “Love You” campaign to Japan-relevant topics. What has remained the same is the heavy use of smileys in both email subjects and body texts.
The emails we have seen during our analysis have the following subject lines:
(Note: These are all popular Japanese entertainers)
The malicious attachments in the analyzed emails are ZIP files masquerading as image files, with names in the format “PIC0-[9-digit-number]2019-jpg.zip”. Figure 3 shows examples of such malicious emails.
The ZIP archives contain a JavaScript file with the same name format, only ending in “.js”. Once extracted and launched, the JavaScript file downloads the first-stage payload from the attackers’ C&C server, an EXE file detected by ESET products as Win32/TrojanDownloader.Agent.EJN. The URLs hosting this payload have had paths ending with “bl*wj*b.exe” (note: filename redacted) and “krabler.exe” and these payloads were downloaded to “C:\Users\[username]\AppData\Local\Temp[random].exe”.
This first-stage payload downloads one or more of the following final payloads from the same C&C server:
The 5.1 version of the GandCrab ransomware encrypts files and appends a random 5-character extension to their names. Ransom notes containing that extension in both their filenames and their contents are created in every affected folder.
The payloads in this updated campaign are downloaded from the IP address 92.63.197[.]153, which appears to be located in Ukraine, and has been used in the “Love you” campaign from its start in mid-January.
To avoid falling victim to malicious spam, always verify the authenticity of emails before opening any attachments or clicking on links. If necessary, check with the organization seemingly sending the email using contact details provided on their official website.
For Gmail users, it may be useful to know that Gmail has been blocking JavaScript attachments in both received and sent emails for almost two years now .
Users of other email services, including company mail servers, must rely on their awareness, unless they use some security solution capable of detecting and blocking malicious JavaScript files.
Several different modules in ESET security products independently detect and block these malicious JavaScript files and/or the objects they subsequently fetch.
non vbv fullz mmn meaning credit card