Security experts at FortiGuard Labs discovered a new Coronavirus-themed campaign using alleged messages from the World Health Organization (WHO) to deliver the LokiBot trojan.
The campaign was uncovered on March 27 when the researchers noticed messages claiming to be WHO communications to address misinformation related to the COVID19 outbreak.
The messages use an attachment, entitled “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC
“FortiGuard Labs recently discovered a new COVID-19/Coronavirus-themed
The body of the messages contains information about the pandemic along with suggestions and recommendations.
The email is written in English but experts believe attackers behind this campaign are not English-speaking due to some obvious grammatical, punctuation and spelling issues.
The message claims to be from an imaginative WHO Center for Disease Control, threat actors evidently linked the name of the WHO to the U.S. Center for Disease Control (CDC), even if the two organizations are separate.
The attachment “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.zip.arj” is a compressed file in the ARJ format, this format was likely used to evade the detection.
Clicking on the attachment and decompressing the file, the users will see a “DOC.pdf.exe” extension rather than the “Doc.zip.arj,” in the attempt to trick them into opening it.
Once opened the file, the Lokibot infection starts, the malware steals sensitive information (a variety of credentials, including FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials) and exfiltrates them to the URL: hxxp://bslines[.]xyz/copy/five/fre.php.
The Lokibot malware has been active since 2015, it is an infostealer that was involved in many malspam campaigns aimed at harvest credentials from web browsers, email clients, admin tools and that was also used to target cryptocoin-wallet owners.
The original LokiBot malware was developed and sold by online by a hacker who goes online by the alias “lokistov,” (aka Carter).
The malicious code was initially advertised on many hacking forums for up to $300, later other threat actors started offering it for less than $80 in the cybercrime underground.
Experts at FortiGuard revealed that the campaign infected users worldwide, most of them in Turkey (29%), Portugal (19%), Germany (12%), Austria (10%), and the United States (10%).
Infections associated with this campaign were also reported in Belgium, Puerto Rico, Italy, Canada, and Spain.
Unfortunately, this campaign is only one of the numerous Coronavirus-themed attacks that attempt to exploit the COVID-19 outbreak.