A recently discovered email campaign distributing the Lokibot malware via an .XLS attachment. A potential victim receives an email with a subject of “BBVA-Confirming transferencia de pago translated as BBVA-Confirming payment transfer”. The sender was observed as “BBVA Banco Continental pago1[@]expomaquinaria[.]es”. Within the body of the email, the adversary attempts to entice a user to open the attachment “Detalles de la transferencia de pago.xls ” to review the transfer. The infection process begins once the .XLS attachment is opened, ultimately leading to the Lokibot malware being installed on the victim’s system. It reportedly abuses the NGROK service to establish a secure tunnel, and download the malware from the cloud. This technique makes detecting the malware extremely difficult.
Indicators of Compromise
IP(s) / Hostname(s)
BBVA-Confirming transferencia de pago
Malware Hash (MD5/SHA1/SH256)