Rewterz Threat Advisory – A Malspam campaign circulating the Lokibot Malware

A Malspam campaign using authentic business subject as bait has been discovered, which drops and enables execution of Loki malware.

IMPACT:  NORMAL

PUBLISH DATE:  05-December-2018

OVERVIEW

A MalSpam campaign has been discovered circulating Lokibot malware. It is initially sent to different users disguised as emails regarding a purchased quotation and is being continuously used as a tool to infect different users. Have a look at one of the e-mail templates below:

ANALYSIS

Templates for malicious spam pushing Lokibot vary. The email contains an Excel spreadsheet with a macro designed to infect vulnerable Windows host with Lokibot malware. Potential victims need to click through warnings, which means the attack involves user interaction.

When the macro was enabled by the user, it was found to contain Lokibot malware using HTTPS from a URL at a.doko[.]moe. The HTTPS request to a.doko[.]moe had no User-Agent string.  If you use curl to retrieve the binary, you must use the -H option to exclude the User-Agent line from your HTTPS request.

The infected Windows host makes Lokibot persistent through a Windows registry update. The infected host may also have a VBS file in the Windows menu Startup folder. This points to another copy of the Lokibot malware executable; however, that executable is capable of deleting itself during the infection. The only remaining Lokibot executable will then be found in the directory path listed in the associated Windows registry entry.

In the image above, see the VBS file in the Startup menu folder specifying a location where the malware had deleted itself.

INDICATORS OF COMPROMISE

Following are the indicators of compromise retrieved from this Malspam campaign that aid the circulation and execution of the Loki Malware.

IPs

• 191[.]101[.]23[.]150
• 169[.]255[.]59[.]27

EMAIL

• sharon@mccourtmfg[.]com

DOMAIN

• sir-iyke[.]com

TRAFFIC FROM AN INFECTED WINDOWS HOST

• 185[.]83[.]215[.]3 port 443 – a.doko[.]moe – GET /tkencn[.]jpg (encrypted HTTPS traffic)
• 199[.]192[.]27[.]109 port 80 – decvit[.]ga – POST /and/cat[.]php

MALWARE FROM AN INFECTED WINDOWS HOST

SHA256 hash:

• 58cea3c44da13386b5acfe0e11cf8362a366e7b91bf9fc1aad7061f68223c5a8

(File description:  Attached Excel spreadsheet with macro to retrieve Lokibot)

SHA256 hash: 

• b8b6ee5387befd762ecce0e146bd0a6465239fa0785869f05fa58bdd25335d3e

(File description:  Lokibot malware binary)

MITIGATIONS

Malspam campaigns usually involve phishing emails. It is strongly recommended that users should not click on any URLs in emails sent from unverified sources. Vigilance is also required while downloading Microsoft Office files received via emails. Users must verify the source or sender of the email before downloading such files.

Also, alerts and pointers that question the authenticity of a file source must not be ignored and macros should not be enabled as they usually contain malware.

Moreover, the above-mentioned Indicators of compromise should be reviewed and blocked after verification by the administration. Vigilance is advised prior to blocking of domains.

If you think you’re the victim of a cyber-attack, immediately send an e-mail to soc@rewterz.com.