• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – New Mirai Variant Uses Multiple Exploits to Target Routers and Other Devices
May 29, 2019
Rewterz Threat Alert – MySQL Servers Subjected to GandCrab Attack
May 31, 2019

Rewterz Threat Alert – Email Campaign Distributing the Lokibot

May 30, 2019

Severity

Medium

Analysis Summary

A recently discovered email campaign distributing the Lokibot malware via an .XLS attachment. A potential victim receives an email with a subject of “BBVA-Confirming transferencia de pago translated as BBVA-Confirming payment transfer”. The sender was observed as “BBVA Banco Continental pago1[@]expomaquinaria[.]es”. Within the body of the email, the adversary attempts to entice a user to open the attachment “Detalles de la transferencia de pago.xls ” to review the transfer. The infection process begins once the .XLS attachment is opened, ultimately leading to the Lokibot malware being installed on the victim’s system. It reportedly abuses the NGROK service to establish a secure tunnel, and download the malware from the cloud. This technique makes detecting the malware extremely difficult.

Fake BBVA email

Indicators of Compromise

IP(s) / Hostname(s)

  • 3[.]19[.]114[.]185
  • 185[.]55[.]225[.]242

URLs

  • http[:]//vbtz[.]cf/BOSCO/five/fre[.]php
  • http[:]//khialimiab[.]ir/wp-includes/lolo/fre[.]php
  • http[:]//treatascholars[.]com/wp-includes/danc/fre[.]php
  • http[:]//8d2aef60[.]ngrok[.]io/boom/Banco%20Sabadell%20Prueba%20De%20Pago[.]exe
  • http[:]//8d2aef60[.]ngrok[.]io/Both/lotta[.]exe
  • http[:]//8d2aef60[.]ngrok[.]io/Both/taco[.]exe
  • http[:]//8d2aef60[.]ngrok[.]io/mine/gutty[.]exe
  • http[:]//8d2aef60[.]ngrok[.]io/Both/lotta[.]exe
  • http[:]//khialimiab[.]ir/wp-includes/lolo/fre[.]php
  • 8d2aef60[.]ngrok[.]io
  • khialimiab[.]ir

Email Address

pago1@expomaquinaria.es

Email Subject

BBVA-Confirming transferencia de pago

Malware Hash (MD5/SHA1/SH256)

  • 28f4be749eb30837ae4528af7350e9528d728e52a63f178ed9cff9f367383a6d
  • 38e5b46c9fc0676d210eb6f5bac809ebc90ac8d421213dbc1dd67d61358edb73
  • ef9e761e57bb2cec574b3d4e8804eeb878f55f42
  • ca02a3030dd507a0e29527f84448aed6

Remediation

  • Block all threat indicators at your respective controls
  • Always be suspicious about emails sent by unknown senders
  • Never click on link/attachments sent by unknown senders

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.