Pierluigi Paganini
March 02, 2020
Researchers from Malwarebytes and X-Force IRIS
Secret lover malspam delivers #Nemty #ransomware
— ThreatDown (@Threat_Down) February 27, 2020
Nemty: 92.63.197[.]190/nnn.exe
4799d051f0e40b15ec67593ea838df901613018d26b612d6d2447431323d4a01
C2: nemty11[.]hk pic.twitter.com/45DVUVF6cj
The attackers employed messages with several subject lines and attachment filenames composed to appear as sent by lovers, they used statements such as “Don’t tell anyone,” “I love you,” “Letter for you,” “Will be our secret,” and “Can’t forget you.”
The body of all the spam messages only contains the ‘;)' text emoticon.
All the spam messages used a ZIP archive as
“Attached to each email is a ZIP archive with a name formatted as with only the #s changing,” reads the advisory published by IBM X-Force IRIS.
“The hash of the file contained within each of these archives remains the same and is associated with a highly obfuscated JavaScript file named LOVE_YOU
The detection rate of the LOVE_YOU Javascript was low when the campaign was spotted, but is rapidly increasing.
The malicious Javascript acts as a dropper for the Nemty ransomware, the final payload is downloaded from a remote server and then it is executed.
In an update provided on February 28, 2020, IBM researchers reported that this campaign appears to have temporarily halted.
In October 2019, researchers from the security firm Tesorion developed a
In February, Nemty ransomware operators announced that they will set up a website to leak the data stolen
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, undersea cables)
[adrotate banner=”5″]
[adrotate banner=”13″]
