Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Malspam pushing Lokibot malware - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malspam pushing Lokibot malware

Introduction

I've frequently seen malicious spam pushing Lokibot (also spelled "Loki-Bot") since 2017.  This year, I've written diaries about it in February 2018 and June 2018.  I most recently posted an example to my blog on 2018-11-26.  This type of malicious spam shows no signs of stopping, so here's a quick diary covering an example from Monday 2018-12-03.

The email

Templates for malicious spam pushing Lokibot vary, and the example from Monday 2018-12-03 was disguised as a purchase quotation.  The email contained an Excel spreadsheet with a macro designed to infect vulnerable Windows hosts with Lokibot malware.  Potential victims need to click through warnings, so this is not an especially stealthy method of infection.


Shown above:  Screenshot of the email with an attached Excel spreadsheet.

Infection traffic

A macro from the Excel spreadsheet retrieved Lokibot malware using HTTPS from a URL at a.doko[.]moe.  I used Fiddler to monitor the HTTPS traffic and determine the URL.  The HTTPS request to a.doko[.]moe had no User-Agent string.  If you use curl to retrieve the binary, you must use the -H option to exclude the User-Agent line from your HTTPS request.


Shown above:  Traffic from the infection filtered in Wireshark.


Shown above:  Using curl to retrieve the Lokibot malware binary from a.doko[.]moe.


Shown above:  Post-infection traffic from the Lokibot-infected Windows host.

Forensics on the infected host

The infected Windows host made Lokibot persistent through a Windows registry update.  This registry update was quite similar to previous Lokibot infections I've generated in my lab environment.  In this example, the infected host also had a VBS file in the Windows menu Startup folder.  This pointed to another copy of the Lokibot malware executable; however, that executable had deleted itself during the infection.  The only existing Lokibot executable was in the directory path listed in the associated Windows registry entry.


Shown above:  Windows registry update to keep Lokibot persistent.


Shown above:  VBS file in the Startup menu folder specifying a location where the malware had deleted itself.

Indicators

The following are indicators from an infected Windows host.  Any URLs, IP addresses, and domain names have been "de-fanged" to avoid any issues when viewing today's diary.

Traffic from an infected windows host:

  • 185.83.215[.]3 port 443 - a.doko[.]moe - GET /tkencn.jpg   (encrypted HTTPS traffic)
  • 199.192.27[.]109 port 80 - decvit[.]ga - POST /and/cat.php

Malware from an infected windows host:

SHA256 hash:  58cea3c44da13386b5acfe0e11cf8362a366e7b91bf9fc1aad7061f68223c5a8

  • File size:  853,504 bytes
  • File name:  62509871.xls
  • File description:  Attached Excel spreadsheet with macro to retrieve Lokibot

SHA256 hash:  b8b6ee5387befd762ecce0e146bd0a6465239fa0785869f05fa58bdd25335d3e

  • File size:  853,504 bytes
  • File location:  hxxps://a.doko[.]moe/tkencn.jpg
  • File location:  C:\Users\[username]\AppData\Roaming\44631D\D1B132.exe
  • File location:  C:\Users\[username]\AppData\Roaming\sticik\stickiy.exe   (deleted itself during the infection)
  • File description:  Lokibot malware binary

Final words

Email, pcap, and malware for the infection can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

Brad

322 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!