Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
A Malspam campaign using authentic business subject as bait has been discovered, which drops and enables execution of Loki malware.
IMPACT: NORMAL
PUBLISH DATE: 05-December-2018
OVERVIEW
A MalSpam campaign has been discovered circulating Lokibot malware. It is initially sent to different users disguised as emails regarding a purchased quotation and is being continuously used as a tool to infect different users. Have a look at one of the e-mail templates below:
ANALYSIS
Templates for malicious spam pushing Lokibot vary. The email contains an Excel spreadsheet with a macro designed to infect vulnerable Windows host with Lokibot malware. Potential victims need to click through warnings, which means the attack involves user interaction.
When the macro was enabled by the user, it was found to contain Lokibot malware using HTTPS from a URL at a.doko[.]moe. The HTTPS request to a.doko[.]moe had no User-Agent string. If you use curl to retrieve the binary, you must use the -H option to exclude the User-Agent line from your HTTPS request.
The infected Windows host makes Lokibot persistent through a Windows registry update. The infected host may also have a VBS file in the Windows menu Startup folder. This points to another copy of the Lokibot malware executable; however, that executable is capable of deleting itself during the infection. The only remaining Lokibot executable will then be found in the directory path listed in the associated Windows registry entry.
In the image above, see the VBS file in the Startup menu folder specifying a location where the malware had deleted itself.
INDICATORS OF COMPROMISE
Following are the indicators of compromise retrieved from this Malspam campaign that aid the circulation and execution of the Loki Malware.
IPs
DOMAIN
TRAFFIC FROM AN INFECTED WINDOWS HOST
MALWARE FROM AN INFECTED WINDOWS HOST
SHA256 hash:
(File description: Attached Excel spreadsheet with macro to retrieve Lokibot)
SHA256 hash:
(File description: Lokibot malware binary)
MITIGATIONS
Malspam campaigns usually involve phishing emails. It is strongly recommended that users should not click on any URLs in emails sent from unverified sources. Vigilance is also required while downloading Microsoft Office files received via emails. Users must verify the source or sender of the email before downloading such files.
Also, alerts and pointers that question the authenticity of a file source must not be ignored and macros should not be enabled as they usually contain malware.
Moreover, the above-mentioned Indicators of compromise should be reviewed and blocked after verification by the administration. Vigilance is advised prior to blocking of domains.
If you think you’re the victim of a cyber-attack, immediately send an e-mail to soc@rewterz.com.