A Malspam campaign using authentic business subject as bait has been discovered, which drops and enables execution of Loki malware.
PUBLISH DATE: 05-December-2018
A MalSpam campaign has been discovered circulating Lokibot malware. It is initially sent to different users disguised as emails regarding a purchased quotation and is being continuously used as a tool to infect different users. Have a look at one of the e-mail templates below:
Templates for malicious spam pushing Lokibot vary. The email contains an Excel spreadsheet with a macro designed to infect vulnerable Windows host with Lokibot malware. Potential victims need to click through warnings, which means the attack involves user interaction.
When the macro was enabled by the user, it was found to contain Lokibot malware using HTTPS from a URL at a.doko[.]moe. The HTTPS request to a.doko[.]moe had no User-Agent string. If you use curl to retrieve the binary, you must use the -H option to exclude the User-Agent line from your HTTPS request.
The infected Windows host makes Lokibot persistent through a Windows registry update. The infected host may also have a VBS file in the Windows menu Startup folder. This points to another copy of the Lokibot malware executable; however, that executable is capable of deleting itself during the infection. The only remaining Lokibot executable will then be found in the directory path listed in the associated Windows registry entry.
In the image above, see the VBS file in the Startup menu folder specifying a location where the malware had deleted itself.
INDICATORS OF COMPROMISE
Following are the indicators of compromise retrieved from this Malspam campaign that aid the circulation and execution of the Loki Malware.
TRAFFIC FROM AN INFECTED WINDOWS HOST
MALWARE FROM AN INFECTED WINDOWS HOST
(File description: Attached Excel spreadsheet with macro to retrieve Lokibot)
(File description: Lokibot malware binary)
Malspam campaigns usually involve phishing emails. It is strongly recommended that users should not click on any URLs in emails sent from unverified sources. Vigilance is also required while downloading Microsoft Office files received via emails. Users must verify the source or sender of the email before downloading such files.
Also, alerts and pointers that question the authenticity of a file source must not be ignored and macros should not be enabled as they usually contain malware.
Moreover, the above-mentioned Indicators of compromise should be reviewed and blocked after verification by the administration. Vigilance is advised prior to blocking of domains.
If you think you’re the victim of a cyber-attack, immediately send an e-mail to firstname.lastname@example.org.