The Loki Bot attacks started in July and aimed at stealing passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets
Loki Bot operators employ various social engineering technique to trick victims into opening weaponized attachments that would deploy the Loki Bot stealer.
The messages use attachments with .iso extensions, a type of file that worked as a container for delivering malware.
“Starting from early July, we have seen malicious spam activity that has targeted corporate mailboxes. The messages discovered so far contain an attachment with an .iso extension that Kaspersky Lab solutions detect as Loki Bot.” reads the analysis published by Kaspersky.
“The malware’s key objective is to steal passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets. Loki Bot dispatches all its loot to the malware owners.”
The messages masquerade as notifications from other companies, or as orders and offers.
Threat actors are sending out copies of Loki Bot to company email addresses that were available on public sources or from the companies’ own websites.
Experts observed different spam messages including fake notifications from well-known companies, fake notifications containing financial documents, and fake orders or offers.
Researchers highlighted the importance for organizations of adopting security measures that include both technical protections and training for employees.
“Every year we observe an increase in spam attacks on the corporate sector.” Kaspersky concludes.
“The perpetrators have used phishing and malicious spam, including forged business emails, in their pursuit of confidential corporate information: intellectual property, authentication data, databases, bank accounts, etc.”