LokiBot campaign — update of 21 June 2021

June 21, 2021 · frtg · 2 min read

In recent weeks, a phishing campaign targeting Italian user email addresses has been detected.
Emails are sent from non-existent Italian commercial entities using the address info@it0b[.]xys with subject “INVOICE SUBMISSION DOC_768 COMPANY NAME“.

The email body is written in Italian and contains a ZIP file attachment with the same name as the subject line.

From: Phishing email “INVOICE SUBMISSION DOC_” delivers LokiBot (AL03/210618/CSIRT-ITA) – Italian CSIRT

Within the ZIP file is an ISO file containing an EXE file identified as LokiBot.

The malware is an infostealer and RAT capable of harvesting user credentials through a keylogger module; it can also establish a backdoor to permit the attacker to deploy additional malicious payloads.

Detected samples establish a connection to IP address 63.141.228[.]141.

In other cases, a DNS query is executed for the domain manvim[.]co, resolved to IP address 35.193.27[.]228 (registered 2021-05-04). Analysis of such infrastructure patterns through Cyber Threat Intelligence sources reveals consistent command-and-control behaviour across multiple LokiBot variants.

IOC

ZIP Attachment:

MD5 7dcd5b2527962fffbfb47aaafd8017cf
SHA-1 7acc748b915a7c2e0dd6f89bc35653477d3f8ea5
SHA-256 7804087ee95b9c0f488db921f24e4aa69df6ee10189d1399fe7dfb8383b1c6f5

ISO Image:

MD5 c35c0bc696ba1a1f1a843ce6d4a63818
SHA-1 8cf0ff7c7f6635d6fe116b30ddd78aca14a35851
SHA-256 12eed57e3431669c9b53a3ac1a556617df0894b078cd0227cfebc15e9e67df8f

Executable:

MD5 e54937c7d7e2cac41541e6a416c9cb90
SHA-1 1c43eae1d54d7d242ccd223b6b23a6a4fa21a8a3
SHA-256 0c4efefcd2850c9764e65fb0f5a084573dfb65c7103b4513781c02e06e21c83a

Additional Executables:

SHA-256 3e56d9df1d14f5758330600d1d2fd098a173842fae0447bdf8e6d97a4d2c7162
SHA-256 254de372db20f35fb440552d22068d975bfb6fafd7902d2826318033b01428a8
SHA-256 ced5590738ce4d32f26c917992c21656c60a5ed3a2fffb02beb5b09b1d5d626f
SHA-256 1eb22488631a731f6fc27ad209f386b8b0aa6181016badff86ee36bc2e42a256
SHA-256 c252af943c2c85f2c3dfcbca5d16877d61aca44d462f088a4a8baacacf59a3ae

Contacted Addresses:

manvim[.]co
35.193.27[.]228
63.141.228[.]141

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

IOC

Cookie & Privacy