Introduction A tweet last week by @malwareunicorn reminded me I haven't searched out any Loki-Bot malspam in a while.
Loki-Bot (also spelled "Loki Bot" or "LokiBot") is an information stealer that sends login credentials and other sensitive data from an infected Windows host to a server established for each malware sample. It's commonly distributed through malicious spam (malspam), and I usually run across samples of Loki-Bot every day. More information can be found in a SANS Reading Room paper written by Rob Pantazopoulos here. I've already written two ISC diaries on Loki-Bot since October 2017 (here and here). Today's diary is a reminder that Loki-Bot is very much alive and actively distributed through malspam on a daily basis. You'll frequently find tweets tagged #Lokibot on Twitter. Details I often find examples of Loki-Bot malspam through VirusTotal Intelligence. A quick search revealed one such email in the early hours of Monday 2018-06-11 (UTC time). It was heavily sanitized, so there's little information other than the date, sender, subject line, and attachment.
The email has an RTF attachment disguised as a Word document. When opened with a vulnerable version of Microsoft Office, an exploit for CVE-2017-11882 will download and install Loki-Bot malware on a vulnerable Windows host. In this case, a request for the Loki-Bot executable was done over HTTPS. Approximately two minutes later, the infected Windows host began generating post-infection HTTP traffic associated with Loki-Bot.
Indicators Indicators are not the same as a block list. If you need to block the associated web traffic, block anything going to these two domains:
Information from the malicious spam:
Traffic from an infected Windows host:
Associated malware: SHA256 hash: b66d5b28c57517b8b7d2751e30e5175149479e5fde086b293a016aac11cdd546
SHA256 hash: a747eeac9ae8ee9317871dfaa2a368f2e82894f601a90614da5818f8f91d1d78
Final words As usual, properly-administered and up-to-date Windows hosts are not likely to get infected. System administrators and the technically inclined can also implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections. Pcap and malware samples for today's diary can be found here. --- |
Brad 386 Posts ISC Handler Jun 11th 2018 |
Thread locked Subscribe |
Jun 11th 2018 2 years ago |
And just for fun, I looked them up (today as in 6/12) in WebSense/ForcePoint, both websites showed up in the "Newly Registered" category.
|
Anonymous |
Quote |
Jun 12th 2018 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!