Pierluigi Paganini April 04, 2020

Researchers spotted a new Coronavirus-themed attack, the messages pretend to be sent from the World Health Organization to deliver Lokibot infostealer.

Security experts at FortiGuard Labs discovered a new Coronavirus-themed campaign using alleged messages from the World Health Organization (WHO) to deliver the LokiBot trojan.

The campaign was uncovered on March 27 when the researchers noticed messages claiming to be WHO communications to address misinformation related to the COVID19 outbreak.

The messages use an attachment, entitled “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.zip.arj,” that distributes the infostealer LokiBot.

“FortiGuard Labs recently discovered a new COVID-19/Coronavirus-themed spearphishing email sent from [159.69.16[.]177] that uses the World Health Organization (WHO) trademark in an attempt to convince recipients of its authenticity.” reads the analysis published FortiGuard Labs. “The email contains the subject line “Coronavirus disease (COVID-19) Important Communication[.]”. It also includes an attachment entitled “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.zip.arj” that appears to contain additional information, but which in fact is a decoy.”

The body of the messages contains information about the pandemic along with suggestions and recommendations.

The email is written in English but experts believe attackers behind this campaign are not English-speaking due to some obvious grammatical, punctuation and spelling issues.

The message claims to be from an imaginative WHO Center for Disease Control, threat actors evidently linked the name of the WHO to the U.S. Center for Disease Control (CDC), even if the two organizations are separate.

The attachment  “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.zip.arj” is a compressed file in the ARJ format, this format was likely used to evade the detection.

Clicking on the attachment and decompressing the file, the users will see a “DOC.pdf.exe” extension rather than the “Doc.zip.arj,” in the attempt to trick them into opening it.

Once opened the file, the Lokibot infection starts, the malware steals sensitive information (a variety of credentials, including FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials) and exfiltrates them to the URL: hxxp://bslines[.]xyz/copy/five/fre.php.

The Lokibot malware has been active since 2015, it is an infostealer that was involved in many malspam campaigns aimed at harvest credentials from web browsers, email clients, admin tools and that was also used to target cryptocoin-wallet owners.

The original LokiBot malware was developed and sold by online by a hacker who goes online by the alias “lokistov,” (aka Carter).

The malicious code was initially advertised on many hacking forums for up to $300, later other threat actors started offering it for less than $80 in the cybercrime underground.

Experts at FortiGuard revealed that the campaign infected users worldwide, most of them in Turkey (29%), Portugal (19%), Germany (12%), Austria (10%), and the United States (10%).

Infections associated with this campaign were also reported in Belgium, Puerto Rico, Italy, Canada, and Spain.

Unfortunately, this campaign is only one of the numerous Coronavirus-themed attacks that attempt to exploit the COVID-19 outbreak.

Pierluigi Paganini

(SecurityAffairs – Lokibot malware, Coronavirus)

[adrotate banner=”5″]

[adrotate banner=”13″]