• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – SplitSpectre, a new Spectre-like CPU attack
December 5, 2018
Rewterz Threat Advisory – CVE-2018-15982 & CVE-2018-15983 – Microsoft Windows Adobe Flash Player Multiple Vulnerabilities
December 6, 2018

Rewterz Threat Advisory – A Malspam campaign circulating the Lokibot Malware

December 5, 2018

A Malspam campaign using authentic business subject as bait has been discovered, which drops and enables execution of Loki malware.

 

 

IMPACT:  NORMAL

 

 

PUBLISH DATE:  05-December-2018

 

 

OVERVIEW

 

 

A MalSpam campaign has been discovered circulating Lokibot malware. It is initially sent to different users disguised as emails regarding a purchased quotation and is being continuously used as a tool to infect different users. Have a look at one of the e-mail templates below:

 

 

 

 

ANALYSIS

 

 

Templates for malicious spam pushing Lokibot vary. The email contains an Excel spreadsheet with a macro designed to infect vulnerable Windows host with Lokibot malware. Potential victims need to click through warnings, which means the attack involves user interaction.

 

When the macro was enabled by the user, it was found to contain Lokibot malware using HTTPS from a URL at a.doko[.]moe. The HTTPS request to a.doko[.]moe had no User-Agent string.  If you use curl to retrieve the binary, you must use the -H option to exclude the User-Agent line from your HTTPS request.

 

The infected Windows host makes Lokibot persistent through a Windows registry update. The infected host may also have a VBS file in the Windows menu Startup folder. This points to another copy of the Lokibot malware executable; however, that executable is capable of deleting itself during the infection. The only remaining Lokibot executable will then be found in the directory path listed in the associated Windows registry entry.

 

 

 

In the image above, see the VBS file in the Startup menu folder specifying a location where the malware had deleted itself.

 

 

INDICATORS OF COMPROMISE

 

 

Following are the indicators of compromise retrieved from this Malspam campaign that aid the circulation and execution of the Loki Malware.

 

IPs

 

  • 191[.]101[.]23[.]150
  • 169[.]255[.]59[.]27

 

EMAIL

 

  • sharon@mccourtmfg[.]com

 

DOMAIN

 

  • sir-iyke[.]com

 

TRAFFIC FROM AN INFECTED WINDOWS HOST

  • 185[.]83[.]215[.]3 port 443 – a.doko[.]moe – GET /tkencn[.]jpg (encrypted HTTPS traffic)
  • 199[.]192[.]27[.]109 port 80 – decvit[.]ga – POST /and/cat[.]php

 

MALWARE FROM AN INFECTED WINDOWS HOST

SHA256 hash:

  • 58cea3c44da13386b5acfe0e11cf8362a366e7b91bf9fc1aad7061f68223c5a8

(File description:  Attached Excel spreadsheet with macro to retrieve Lokibot)

 

SHA256 hash: 

  • b8b6ee5387befd762ecce0e146bd0a6465239fa0785869f05fa58bdd25335d3e

(File description:  Lokibot malware binary)

 

 

MITIGATIONS

 

 

Malspam campaigns usually involve phishing emails. It is strongly recommended that users should not click on any URLs in emails sent from unverified sources. Vigilance is also required while downloading Microsoft Office files received via emails. Users must verify the source or sender of the email before downloading such files.

 

Also, alerts and pointers that question the authenticity of a file source must not be ignored and macros should not be enabled as they usually contain malware.

 

Moreover, the above-mentioned Indicators of compromise should be reviewed and blocked after verification by the administration. Vigilance is advised prior to blocking of domains.

 

If you think you’re the victim of a cyber-attack, immediately send an e-mail to soc@rewterz.com.

 

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.