Pierluigi Paganini September 12, 2019

Security researchers at Fortinet uncovered a malspam campaign aimed distributing the LokiBot malware at a US manufacturing company.

FortiGuard SE Team experts uncovered a malspam campaign aimed distributing the LokiBot malware at a US manufacturing company.

The Lokibot malware has been active since 2015, it is an infostealer that was involved in many malspam campaigns aimed at harvest credentials from web browsers, email clients, admin tools and that was also used to target cryptocoin-wallet owners.

The original LokiBot malware was developed and sold by online by a hacker who goes online by the alias “lokistov,” (aka Carter).

The malicious code was initially advertised on many hacking forums for up to $300, later other threat actors started offering it for less than $80 in the cybercrime underground.

Now researchers spotted phishing messages targeting the employees of a large U.S. manufacturing company.

The Lokibot variant involved in the attack has been detected on August 21, and according to the researchers, it was compiled the same date.

“The FortiGuard Labs SE team identified a new malicious spam campaign on August 21^st,, which we discovered after an analysis of information initially found on VirusTotal.” read the analysis of the experts. “It targeted a large US manufacturing company utilizing the well documented infostealer LokiBot. Interestingly enough, this also has a compilation date of August 21^st, which is the same day we discovered the malspam campaign.”

The phishing messages targeted the sales email address of the recipients, they emails were possibly sent from a compromised trusted sender having the IP address of 23[.]83[.]133[.]8. 

The messages are not written by native English speakers, they include attachments with names that attempt to trick victims into opening them with urgency (“Please see ‘attache’”, which appears to be an “RFQ” or a “request for quotation.”)

The content of the spam messages encourages the victim to open the attachment as the senders’ colleague is currently out of office.

Once the victims have opened the compressed archive in the attachment, they will get infected with the LokiBot information stealer.

“LokiBot steals a variety of credentials – primarily FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials,” continues the researchers. “we will only highlight the unique characteristics observed in this specific sample. “

The sample involved in the spear-phishing campaign is disguised as a Dora The Explorer game executable.

The IP address used to deliver the phishing emails was observed by the experts in other similar attacks in the past, one of them targeting a German bakery with spam emails in Chinese on June 17.

“This particular IP address appears to have been used twice before in malicious spam attacks that occurred several months earlier, in June, attacking a large German Bakery in a malicious spam attack trying to lure a victim into downloading an electronic invoice.” states the researchers.

“Although the German Bakery attack email was in Chinese, as was the attachment – which was an RTF file which referenced a potentially compromised URL (deepaklab[.]com), that likely contained the malicious payload – the URL has been cleaned up and no longer serves up any content that we can analyze. It can be assumed that this may be another delivery mechanism for LokiBot, as it has been documented in the past utilizing RTF distribution vectors.“

Experts pointed out that given the low volume of spam messages delivered using this newly identified relay, the server associated with this IP address is used by one group that leverages on it in very targeted attacks.

Unlike previous Lokibot variants, this particular sample did not use any steganography. 

More More details, including indicators of compromise (IOCs) are reported in the analysis published by Fortinet.

Pierluigi Paganini

(SecurityAffairs – Lokibot, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]