Nemty Ransomware Spreads Through Love Letter Email in Spam Campaign

 Analysis by: Joel Arvin Merete

A spam campaign called the Love Letter has been discovered by security researchers. It is used in the delivery and distribution of the Nemty ransomware while disguising itself to appear like it is a message from a secret lover to a clueless victim. The email sender uses legitimate looking names to fool the unsuspecting receiver of the said spam. Moreover, different email addresses from different domains were also used in this spam. The email subjects commonly found from this spam campaign are My love, Don’t tell anyone, You should read this, Will be our secret, Can’t forget you, Letter for you, Just for you, and My loveletter. It contains a wink emoticon only in its message and a zip file in its attachment.

When opened, the ZIP file contains a malicious and obfuscated JavaScript file named LOVE_YOU.js, which downloads the Nemty ransomware. The JavaScript file is detected by Trend Micro as Trojan.JS.NEMTY.THBBHBO. The email samples related to this spam are already detected since January 1, 2020 by AS Pattern 25142.

As always, we strongly advise to never open email attachments from unknown or unwanted senders.

 SPAM BLOCKING DATE / TIME: January 01, 2020 GMT-8
  • ENGINE:8.1
  • PATTERN:25142