Wednesday, May 22, 2024

Hackers Launching Ransomware and CryptoMiner via Love_You MalSpam Campaign

The worst alliance of Ransomware and the CryptoMiner family in a spread spree, early January 2019. Malware Spam or MalSpam is the term used to designate malware that is delivered via email messages.

Malicious spam (MalSpam) using zipped JavaScript (.js) files as email attachments–this is a well-established tactic used by cybercriminals to distribute malware. The infection traffic included GandCrab ransomware, a Monero (XMRig) cryptocurrency miner, and Phorpiex spambot traffic.

The email will be delivered with the initial JavaScript and it extracts an “exe” file. This file will download the dropper and the dropper gets the rest of the payloads from Command and Control.

In the last 2 days, there were many samples found and many are uploading new samples in public sandboxes. In “” a public sandbox, there are nearly 1200samples are uploaded and the spread seems to be high.

This GandCrab ransomware with CryptoMining seems to be critical and new variants of 2019. Get the IOC’s from your Cyber Intel and public sandboxes. The purpose of GandCrab, as with other ransomware, is to encrypt all or many files on an infected system and insist on payment to unlock them. The developer requires payment in cryptocurrency, primarily DASH, because of it complex to track, or Bitcoin.

Evolution of GandCrab Ransomware

                GandCrab v1 Ransomware, were discovered earlier in 2018. In nearly one month, over 50000 endpoints were infected and encrypted. Unusually, this ransomware asked to pay ransom in the cryptocurrency format “DASH”.

                GandCrab v2 Ransomware, were discovered in May 2018. With the new encryption extension of “.CRAB” and used more sophiscated domains as CnC.

                GandCrab v3 and v3.1 Ransomware were discovered in later 2018 with more antivirus evading techniques.

                GandCrab v4 Ransomware, brought many changes in the workflow and the endpoint communication patterns. The new extension “.KRAB” has been used and the creators have used new encryption algorithm. Surprisingly this variant, doesn’t connect a CnC.

                GandCrab v5 & v5.0.4 Ransomware brought many changes in the communication patterns and very advanced in the encryption standards. In later 2018, this created a greater impact and the increase of victims were huge.

What is CryptoMining Malware?

CryptoMining malware, or cryptocurrency mining malware or simply crypto jacking. Nowadays, Cyber criminals have increasingly turned to CryptoMining malware, as it’s a way to harness the processing power of large numbers of computers, smartphones and other electronic devices to help them generate revenue from cryptocurrency mining.

Therefore, they are infecting machines, utilize the device, encrypt using ransomware, destroy the traces and complete their actions. Cyber attackers are finding more ways in creating an alliance of various malware and combining them to achieve their goals.

Process Flow of the MalSpam


Recommendations to encounter this MalSpam

  1.) Block email attachment names like “Love”, “Love_You”, “Luv_You”, “Love_You_”, etc. and try combinations more.

  2.) Ensure the .js file types are blocked in your email gateway if not needed.

3.) Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices.

 4.) Ensure your SOC team are monitoring for the traces of ransomware activity.

5.) Ensure your SOC team is monitoring for the abnormal activity of Powershell Executions.

Indicators of Compromise







You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.


Latest articles

OmniVision Technologies Cyber Attack, Hackers Stolen Personal Data in Ransomware Attack

OmniVision Technologies, Inc. (OVT) recently disclosed a significant security breach that compromised its clients'...

Critical Flaw In Confluence Server Let Attackers Execute Arbitrary Code

The widely used team workspace corporate wiki Confluence has been discovered to have a...

Threat Actors Leverage Bitbucket Artifacts to Breach AWS Accounts

In a recent investigation into Amazon Web Services (AWS) security breaches, Mandiant uncovered a...

Hackers Breached Western Sydney University Microsoft 365 & Sharepoint Environments

Western Sydney University has informed approximately 7,500 individuals today of an unauthorized access incident...

Memcyco Report Reveals Only 6% Of Brands Can Protect Their Customers From Digital Impersonation Fraud

Memcyco Inc., provider of digital trust technology designed to protect companies and their customers...

DoppelGänger Attack: Malware Routed Via News Websites And Social Media

A Russian influence campaign, DoppelGänger, leverages fake news websites (typosquatted and independent) to spread...

Critical Memory Corruption In Cloud Logging Infrastructure Enables Code Execution Attack

A new critical vulnerability has been discovered in Fluent Bit's built-in HTTP server, which...

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles