Rewterz Threat Alert – Email Campaign Distributing the Lokibot

May 30, 2019

Severity

Medium

Analysis Summary

A recently discovered email campaign distributing the Lokibot malware via an .XLS attachment. A potential victim receives an email with a subject of “BBVA-Confirming transferencia de pago translated as BBVA-Confirming payment transfer”. The sender was observed as “BBVA Banco Continental pago1[@]expomaquinaria[.]es”. Within the body of the email, the adversary attempts to entice a user to open the attachment “Detalles de la transferencia de pago.xls ” to review the transfer. The infection process begins once the .XLS attachment is opened, ultimately leading to the Lokibot malware being installed on the victim’s system. It reportedly abuses the NGROK service to establish a secure tunnel, and download the malware from the cloud. This technique makes detecting the malware extremely difficult.

Indicators of Compromise

IP(s) / Hostname(s)

3[.]19[.]114[.]185
185[.]55[.]225[.]242

URLs

http[:]//vbtz[.]cf/BOSCO/five/fre[.]php
http[:]//khialimiab[.]ir/wp-includes/lolo/fre[.]php
http[:]//treatascholars[.]com/wp-includes/danc/fre[.]php
http[:]//8d2aef60[.]ngrok[.]io/boom/Banco%20Sabadell%20Prueba%20De%20Pago[.]exe
http[:]//8d2aef60[.]ngrok[.]io/Both/lotta[.]exe
http[:]//8d2aef60[.]ngrok[.]io/Both/taco[.]exe
http[:]//8d2aef60[.]ngrok[.]io/mine/gutty[.]exe
http[:]//8d2aef60[.]ngrok[.]io/Both/lotta[.]exe
http[:]//khialimiab[.]ir/wp-includes/lolo/fre[.]php
8d2aef60[.]ngrok[.]io
khialimiab[.]ir

Email Address

pago1@expomaquinaria.es

Email Subject

BBVA-Confirming transferencia de pago

Malware Hash (MD5/SHA1/SH256)

28f4be749eb30837ae4528af7350e9528d728e52a63f178ed9cff9f367383a6d
38e5b46c9fc0676d210eb6f5bac809ebc90ac8d421213dbc1dd67d61358edb73
ef9e761e57bb2cec574b3d4e8804eeb878f55f42
ca02a3030dd507a0e29527f84448aed6

Remediation

Block all threat indicators at your respective controls
Always be suspicious about emails sent by unknown senders
Never click on link/attachments sent by unknown senders