Malspam pushing Lokibot malware

Published: 2018-12-04
Last Updated: 2018-12-04 02:36:48 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

I've frequently seen malicious spam pushing Lokibot (also spelled "Loki-Bot") since 2017.  This year, I've written diaries about it in February 2018 and June 2018.  I most recently posted an example to my blog on 2018-11-26.  This type of malicious spam shows no signs of stopping, so here's a quick diary covering an example from Monday 2018-12-03.

The email

Templates for malicious spam pushing Lokibot vary, and the example from Monday 2018-12-03 was disguised as a purchase quotation.  The email contained an Excel spreadsheet with a macro designed to infect vulnerable Windows hosts with Lokibot malware.  Potential victims need to click through warnings, so this is not an especially stealthy method of infection.


Shown above:  Screenshot of the email with an attached Excel spreadsheet.

Infection traffic

A macro from the Excel spreadsheet retrieved Lokibot malware using HTTPS from a URL at a.doko[.]moe.  I used Fiddler to monitor the HTTPS traffic and determine the URL.  The HTTPS request to a.doko[.]moe had no User-Agent string.  If you use curl to retrieve the binary, you must use the -H option to exclude the User-Agent line from your HTTPS request.


Shown above:  Traffic from the infection filtered in Wireshark.


Shown above:  Using curl to retrieve the Lokibot malware binary from a.doko[.]moe.


Shown above:  Post-infection traffic from the Lokibot-infected Windows host.

Forensics on the infected host

The infected Windows host made Lokibot persistent through a Windows registry update.  This registry update was quite similar to previous Lokibot infections I've generated in my lab environment.  In this example, the infected host also had a VBS file in the Windows menu Startup folder.  This pointed to another copy of the Lokibot malware executable; however, that executable had deleted itself during the infection.  The only existing Lokibot executable was in the directory path listed in the associated Windows registry entry.


Shown above:  Windows registry update to keep Lokibot persistent.


Shown above:  VBS file in the Startup menu folder specifying a location where the malware had deleted itself.

Indicators

The following are indicators from an infected Windows host.  Any URLs, IP addresses, and domain names have been "de-fanged" to avoid any issues when viewing today's diary.

Traffic from an infected windows host:

  • 185.83.215[.]3 port 443 - a.doko[.]moe - GET /tkencn.jpg   (encrypted HTTPS traffic)
  • 199.192.27[.]109 port 80 - decvit[.]ga - POST /and/cat.php

Malware from an infected windows host:

SHA256 hash:  58cea3c44da13386b5acfe0e11cf8362a366e7b91bf9fc1aad7061f68223c5a8

  • File size:  853,504 bytes
  • File name:  62509871.xls
  • File description:  Attached Excel spreadsheet with macro to retrieve Lokibot

SHA256 hash:  b8b6ee5387befd762ecce0e146bd0a6465239fa0785869f05fa58bdd25335d3e

  • File size:  853,504 bytes
  • File location:  hxxps://a.doko[.]moe/tkencn.jpg
  • File location:  C:\Users\[username]\AppData\Roaming\44631D\D1B132.exe
  • File location:  C:\Users\[username]\AppData\Roaming\sticik\stickiy.exe   (deleted itself during the infection)
  • File description:  Lokibot malware binary

Final words

Email, pcap, and malware for the infection can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

Keywords: Lokibot malspam
0 comment(s)
ISC Stormcast For Tuesday, December 4th 2018 https://isc.sans.edu/podcastdetail.html?id=6278

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives