TG Soft's C.R.A.M. (Anti-Malware Research Center) examined an email included in a campaign spreading the malware Trojan LokiBot sent on January 21, 2019.
Cyber-criminals developed "Social engineering" methods for fraudulent mass mailings, to induce the victim to open infected attachments or click on links in the body of the message.
|
INDEX
|
Fake Mail spreads Trojan "LokiBot"
Name: LokiBot
Malware family: Password Stealer
Description:
The email was detected on January 21, 2019
Example of analyzed email:
Subject: DHL Express Shipment Confirmation
|
|
DHL Express Shipment Confirmation - Mozilla Thunderbird |
Da:
Oggetto: DHL Express Shipment Confirmation
A: |
|--------------------------------|
| DHL LOGO |
|--------------------------------|
DHL Express Shipment Confirmation
Dear Sir/Madam,
An enclosed package addressed to you was sent through our courier service by you0r business associate.
We need to confirm you are the actual receiver before we set out for final delivery to your address.
Download Attachment file to confirm your delivery address with us to ensure smooth and fast delivery.
Failure to verify address might lead to delay in scheduled delivery or loss of important document
|------------------|
| |
| LINK |
| |
|------------------|
Sincerely
DHL Delivery Team.
(c) 2018 DHL International
CONFIDENTIALITY NOTICE: This message is from DHL and may contain confidential business information. It is intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient please contact the sender and delete this message and any attachment from your system. Unauthorized publication, use, dissemination, forwarding, printing or copying of this E-Mail and its attachments is strictly prohibited.
|
|
|
How it spreads:
The email, themed by a well-known courier company, claims the need to confirm the shipping address of a package by downloading the attachment.
Actually, the email does not contain an attachment but rather a link associated with an image of a blurry, unreadable document so as to entice the user to click on it in order to view it properly.
The link refers to a well-known and legitimate file transfer service (OneDrive):
- https[:]//onedrive.live[.]com/download?cid=391FF638CEDA8645&resid=391FF638CEDA8645%21106&authkey=AMGNNPFwLT3rchE
The technique of using legitimate file transfer services is used to avoid control systems.
The link leads to the download of an archive file (.
iso) with the following characteristics:
- File Name: DHL DOCUMENTS ,xls.iso
- Size: 157.895 byte
- Md5: 3BFFA0DB89D1358B3A5DEBEFEDC18837
The archive contains within it an executable file with the following characteristics:
- File Name: DHL DOCUMENTS ,xls.exe
- Size: 212.992 byte
- Md5: 9C78530B77E5D578FF117A7AE06E17FB
- Compilation date: 20/01/2019 - 23:52:19
- Malware family: LokiBot
- VirIT: Trojan.Win32.LokiBot.BGE
As you can see from the graphic below the executable file, once started, at first executes the legitimate Windows Operating System software "RegAsm.exe", where it will perform an
Injection and then proceed to exfiltrate the data.
After the Injection, the malware begins to collect the information to exfiltrate by reading the information/configuration files of various software. Below we give some examples:
Browser |
Client Email |
Client FTP |
Internet Explorer
Mozilla Firefox
Google Chrome
Mozilla SeaMonkey
YandexBrowser
Opera
Comodo IceDragon
Epic Privacy Browser
Safari
Flock Browser
Lunascape |
Outlook
Thunderbird
FossaMail
IncrediMail |
BlazeFtp
ClassicFTP
Cyberduck
EasyFTP
FileZilla |
Next, the malware attempts to connect to the command and control (C&C) server:
- http[:]//somotexng[.]ru/newone/Panel/fre.php
On analysis date, the C&C server is not reachable.
Below is a graph of the infection process:
The following URLs were also found within the body of the malware:
- kbfvzoboss[.]bid/alien/fre[.]php
- alphastand[.]trade/alien/fre[.]php
- alphastand[.]win/alien/fre[.]php
- alphastand[.]top/alien/fre[.]php
The
Trojan.Win32.LokiBot is a member of the
Password Stealer macrofamily. Its peculiarities are to steal logins and passwords for accessing important sites such as home banking, social networks, web portal login credentials, e-mail, FTP, etc...
IOC
MD5:
3BFFA0DB89D1358B3A5DEBEFEDC18837
9C78530B77E5D578FF117A7AE06E17FB
URL:
somotexng[.]ru
How to identify a fake email
Experience and common sense are the first weapons to avoid these kinds of scams.
Careful reading of the email, in all its elements, is essential. Be wary of ZIP-formatted attachments and, if possible, DO NOT enable automatic macro execution. It is strongly discouraged to set up automatic execution of macros since simply opening Word and Excel files will see the immediate execution of macros without any prior alert.
In case you have been infected by a Banker, the advice from TG Soft's C.R.A.M., is to take appropriate security precautions even after the remediation of the system(s) involved such as changing the most commonly used passwords on the Web. In case the wokstation involved is used for home-banking transactions, an assessment with your credit institution is also recommended.
How to send suspicious emails for analysis as possible virus/malware/ransomware and/or Phishing attempts
Sending materials to TG Soft's Anti-Malware Research Center for analysis, which is always free of charge, can be done safely in two ways:
- Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
- save the e-mail to be sent to the C.R.A.M. TG Soft for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspect Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
We give you these suggestions to help avoiding credential theft, viruses/malware or even worse next-generation Ransomware / Crypto-Malware.
Integrate your PC / SERVER protection with Vir.IT eXplorer Lite
If you are not yet using Vir.IT eXplorer PRO, it is advisable to install, Vir.IT eXplorer Lite -FREE Edition-.to supplement the antivirus in use to increase the security of your computers, PC and SERVER indifferently,
Vir.IT eXplorer Lite has the following special features: |
|
- freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
- Interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs.We recommend to use as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
- It identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
- through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and proceed to send the reported files to TG Soft's C.R.A.M.
- Proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
For Vir.IT eXplorer PRO users...
|
For Vir.IT eXplorer PRO owners, it is also possible to contact for free TG Soft's technical phone support.The details can be found on the support page CLIENTS.
|
C.R.A.M.
TG Soft's Anti-Malware Research Center
Back to top of page