LokiBot campaign — update of 26 July 2021

July 26, 2021 · frtg · 3 min read

In the past week, a phishing campaign targeting Italy has been detected.
The email subject line reads “RE: Purchase order-12034428 HANG TAG ARTWORK”; the attachment contains an xlsx file that, when opened, contacts a domain from which it downloads a LokiBot sample in exe format.

Immagine — Source: JAMESWT (@JAMESWT_MHT) / Twitter

The dropper xlsx exploits CVE-2017-11882 (Cyber Threat Intelligence), which permits arbitrary code execution. In this instance, the Microsoft Equation Editor process (EQNEDT32.EXE) is leveraged to contact http://weddingstory[.]gr/linto/vulinko[.]exe, download the LokiBot sample to “\AppData\Roaming\gtyhyz.exe”, and execute it.

Source: PTTXSAMPLEXANDXPO.xlsx (MD5: A4025253BAA6223DD98E753812AC621C) – Interactive analysis – ANY.RUN

The malware is an infostealer and RAT capable of harvesting user credentials and establishing a backdoor to permit the attacker to deploy additional malicious payloads.
For instance, it exfiltrates credentials stored in browsers: AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pkcs11.txt.

This information is subsequently transmitted to the Command and Control (C2) server, identified as lushbb[.]xyz at IP address 104[.]21[.]51[.]229.

Static Analysis

File xlsx

Tag

Dropper

Details

md5	A4025253BAA6223DD98E753812AC621C
sha1	01E842B2443B1ACD25D6D65595C4D3F9339654D9
sha256	DA3F3359E2448D36BDD8B0EBDF074FB608F8BE4FC9D996FAEAD58E6B6D819E67
file-size	768 644 (bytes)
entropy	7.998
Virustotal	score 29/62

Description

Email attachment exploiting CVE-2017-11882 to download and execute the LokiBot sample.

vulinko.exe

Tag

LokiBot

Details

md5	A4025253BAA6223DD98E753812AC621C
sha1	01E842B2443B1ACD25D6D65595C4D3F9339654D9
sha256	DA3F3359E2448D36BDD8B0EBDF074FB608F8BE4FC9D996FAEAD58E6B6D819E67
file-size	768 644 (bytes)
entropy	7.998
imphash	2BD8836AD04E575E33CBFFF8CBA9F900
Virustotal	score 28/70

Description

LokiBot sample performing data exfiltration and communicating with the C2 server at address 104[.]21[.]51[.]229.

IOCs

PTTXSAMPLEXANDXPO.xlsx

SHA256 DA3F3359E2448D36BDD8B0EBDF074FB608F8BE4FC9D996FAEAD58E6B6D819E67
SHA1 01E842B2443B1ACD25D6D65595C4D3F9339654D9
MD5 A4025253BAA6223DD98E753812AC621C

Downloaded Executable (LokiBot)

SHA256 3353C2EA708D348C56FACAAB5C7AEBB5A2EC6C820D076D25DC41F30FAC712F6D

Network Activity

Dropper
- weddingstory[.]gr
- 51[.]15[.]17[.]195
C2
- lushbb[.]xyz
- 104[.]21[.]51[.]229

Phishing campaigns leveraging CVE-2017-11882 through Office documents remain a persistent delivery vector for infostealer malware; defenders must maintain vigilance against email-borne threats employing equation editor exploitation and implement application whitelisting to restrict arbitrary code execution.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Static Analysis

File xlsx

Tag

Details

Description

vulinko.exe

Tag

Details

IOCs

PTTXSAMPLEXANDXPO.xlsx

Downloaded Executable (LokiBot)

Network Activity

Cookie & Privacy