FortiGuard SE Team experts uncovered a
The Lokibot malware has been active since 2015, it is an infostealer that was involved in many malspam campaigns aimed at harvest credentials from web browsers, email clients, admin tools and that was also used to target cryptocoin-wallet owners.
The original LokiBot malware was developed and sold by online by a hacker who goes online by the alias “lokistov,” (aka Carter).
The malicious code was initially advertised on many hacking forums for up to $300, later other threat actors started offering it for less than $80 in the cybercrime underground.
Now researchers spotted phishing messages targeting the employees of a large U.S.
The Lokibot variant involved in the attack has been detected on August 21, and according to the researchers, it was
“The FortiGuard Labs SE team identified a new malicious spam campaign on August 21
The phishing messages targeted the sales email address of the recipients, they emails were possibly sent from a
The messages are not written by native English speakers, they include attachments with names that attempt to trick victims into opening them with urgency
The content of the spam messages encourages the victim to open the attachment as the senders’ colleague is currently out of
Once the victims have opened the compressed archive in the attachment, they will get infected with the LokiBot information stealer.
“LokiBot steals a variety of credentials – primarily FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials,” continues the researchers. “
The sample involved in the spear-phishing campaign is disguised as a Dora The Explorer game executable.
The IP address used to deliver the phishing emails was observed by the experts in other similar attacks in the past, one of them targeting a German bakery with spam emails in Chinese on June 17.
“This particular IP address appears to have been used twice before in malicious spam attacks that occurred several months earlier, in June, attacking a large German Bakery in a malicious spam attack trying to lure a victim into downloading an electronic invoice.” states the researchers.
“Although the German Bakery attack email was in Chinese, as was the attachment – which was an RTF file which referenced a potentially compromised URL (deepaklab[.]com), that likely contained the malicious payload – the URL has been cleaned up and no longer serves up any content that we can analyze. It can be assumed that this may be another delivery mechanism for LokiBot, as it has been documented in the past utilizing RTF distribution vectors.
Experts pointed out that given the low volume of spam messages delivered using this newly identified relay, the server associated with this IP address is used by one group that leverages on it in very targeted attacks.
Unlike previous Lokibot variants, this particular sample did not use any
More More details, including indicators of compromise (IOCs) are reported in the analysis published by Fortinet.