Rewterz Threat Advisory – A Malspam campaign circulating the Lokibot Malware

Wednesday, December 5, 2018

A Malspam campaign using authentic business subject as bait has been discovered, which drops and enables execution of Loki malware.






PUBLISH DATE:  05-December-2018






A MalSpam campaign has been discovered circulating Lokibot malware. It is initially sent to different users disguised as emails regarding a purchased quotation and is being continuously used as a tool to infect different users. Have a look at one of the e-mail templates below:








Templates for malicious spam pushing Lokibot vary. The email contains an Excel spreadsheet with a macro designed to infect vulnerable Windows host with Lokibot malware. Potential victims need to click through warnings, which means the attack involves user interaction.


When the macro was enabled by the user, it was found to contain Lokibot malware using HTTPS from a URL at a.doko[.]moe. The HTTPS request to a.doko[.]moe had no User-Agent string.  If you use curl to retrieve the binary, you must use the -H option to exclude the User-Agent line from your HTTPS request.


The infected Windows host makes Lokibot persistent through a Windows registry update. The infected host may also have a VBS file in the Windows menu Startup folder. This points to another copy of the Lokibot malware executable; however, that executable is capable of deleting itself during the infection. The only remaining Lokibot executable will then be found in the directory path listed in the associated Windows registry entry.




In the image above, see the VBS file in the Startup menu folder specifying a location where the malware had deleted itself.






Following are the indicators of compromise retrieved from this Malspam campaign that aid the circulation and execution of the Loki Malware.




  • 191[.]101[.]23[.]150
  • 169[.]255[.]59[.]27




  • sharon@mccourtmfg[.]com




  • sir-iyke[.]com



  • 185[.]83[.]215[.]3 port 443 – a.doko[.]moe – GET /tkencn[.]jpg (encrypted HTTPS traffic)
  • 199[.]192[.]27[.]109 port 80 – decvit[.]ga – POST /and/cat[.]php



SHA256 hash:

  • 58cea3c44da13386b5acfe0e11cf8362a366e7b91bf9fc1aad7061f68223c5a8

(File description:  Attached Excel spreadsheet with macro to retrieve Lokibot)


SHA256 hash: 

  • b8b6ee5387befd762ecce0e146bd0a6465239fa0785869f05fa58bdd25335d3e

(File description:  Lokibot malware binary)






Malspam campaigns usually involve phishing emails. It is strongly recommended that users should not click on any URLs in emails sent from unverified sources. Vigilance is also required while downloading Microsoft Office files received via emails. Users must verify the source or sender of the email before downloading such files.


Also, alerts and pointers that question the authenticity of a file source must not be ignored and macros should not be enabled as they usually contain malware.


Moreover, the above-mentioned Indicators of compromise should be reviewed and blocked after verification by the administration. Vigilance is advised prior to blocking of domains.


If you think you’re the victim of a cyber-attack, immediately send an e-mail to


Data Sheets

Corporate Brochure

Our Story



Managed Security

Upcoming Rewterz Trainings/Events

Rewterz News

  • 2, May 2019 Rewterz Threat Advisory – CVE-2019-2725 – WebLogic Server Vulnerability
  • 11, April 2019 Rewterz threat Advisory – Microsoft Internet Explorer Multiple Vulnerabilities
  • 11, April 2019 Rewterz Threat Advisory – Microsoft SharePoint Multiple Products Multiple Script Insertion Vulnerabilities
  • 11, April 2019 Rewterz Threat Advisory – Microsoft Exchange Server OWA Multiple Spoofing Vulnerabilities

Copyright © Rewterz. All rights reserved.