#1275892: LokiBot Info-Stealer Used in Spear Phishing Attack on US Company
Security researchers discovered a malspam campaign distributing LokiBot information stealer payloads using phishing messages targeting the employees of a large U.S. manufacturing company.
The malware distributed by the spear-phishing attack detected on August 21 was compiled the same date as researchers with the FortiGuard SE Team found out.
As they observed, the attackers are not native English speakers based on the contents of the spam emails that came with attachments designed to look as urgent requests for quotation and dubbed by the senders as "attache."
"The spam email then encourages the user to open the attachment as the senders’ colleague is currently out of office, and at the same time offers the potential victim some assurance that he/she can provide further clarification of the contents within the document if needed," also found the researchers.
LokiBot payload delivery
However, after the target unzips the attached archive, they will get infected with the LokiBot information stealer malware, a strain known to have been advertised and sold on various underground sites.
Once it successfully compromises its victims' computers, LokiBot is designed to harvest as much sensitive information as possible that subsequently gets delivered to its operators' command and control (C2) servers as part of an HTTP POST request.
"LokiBot steals a variety of credentials – primarily FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials," added the researchers.
While the sample delivered by the August 21 malspam campaign is disguised as a Dora The Explorer game executable, LokiBot is known to have been previously delivered as Microsoft Office documents riddled with malicious macros or via RTF docs created to exploit flaws such as the CVE-2017-11882 remote code execution vulnerability.
The German bakery connection
The IP address used to deliver the phishing emails connects this malicious campaign with two other similar attacks the FortiGuard SE Team observed in the past, with one of them targeting a German bakery with spam emails in Chinese on June 17.
Based on the language and attack template differences noticed when analyzing the three campaigns using this IP, the researchers consider that it is used as a spam relay "that may either be used indiscriminately or in targeted attacks with LokiBot or some other unidentified malware."
Also, given the low volume of spam messages delivered using this newly identified relay, the server using this address "may be under the control of one group, and possibly only being used for very targeted attacks," added the FortiGuard SE Team.
Previously, LokiBot's authors were seen including steganography to a variant analyzed by Trend Micro last week, a feature that would add a new layer of obfuscation, as well as allow it to evade detection and help it gain persistence on infected machines.
In April, multiple malicious campaigns were observed hiding LokiBot and Nanocore malware inside ISO images small enough to be delivered as email attachments.
More details, indicators of compromise (IOCs) including malware sample hashes and domains used in the attacks, as well as an ATT&CK TTP summary are available at the end of FortiGuard SE Team's analysis of the LokiBot spear-phishing campaign.
|Date added||Sept. 11, 2019, 12:24 p.m.|