{"id":2664,"date":"2021-06-21T11:03:42","date_gmt":"2021-06-21T09:03:42","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2664"},"modified":"2026-06-08T23:12:05","modified_gmt":"2026-06-08T23:12:05","slug":"lokibot-campaign-update-june-2021","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/lokibot-campaign-update-june-2021\/","title":{"rendered":"LokiBot campaign \u2014 update of 21 June 2021"},"content":{"rendered":"\n<p style=\"text-align: justify\">In recent weeks, a <strong>phishing<\/strong> campaign targeting Italian user email addresses has been detected.<br>Emails are sent from non-existent Italian commercial entities using the address <strong>info@it0b[.]xys<\/strong> with subject &#8220;<strong>INVOICE SUBMISSION DOC_768 COMPANY NAME<\/strong>&#8220;.<\/p>\n<p style=\"text-align: justify\">The email body is written in Italian and contains a ZIP file attachment with the same name as the subject line.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/06\/loki-1024x671.png\" alt=\"\" class=\"wp-image-2687\" loading=\"lazy\" \/><figcaption>From: <a href=\"https:\/\/csirt.gov.it\/contenuti\/email-di-phishing-invio-fattura-doc_-veicola-lokibot-al03-210618-csirt-ita\">Phishing email &#8220;INVOICE SUBMISSION DOC_&#8221; delivers LokiBot (AL03\/210618\/CSIRT-ITA) &#8211; Italian CSIRT<\/a> <\/figcaption><\/figure>\n\n\n\n<p style=\"text-align: justify\">Within the ZIP file is an ISO file containing an EXE file identified as <strong>LokiBot<\/strong>.<\/p>\n\n\n\n<p style=\"text-align: justify\">The malware is an <strong>infostealer and RAT<\/strong> capable of harvesting user credentials through a <strong>keylogger<\/strong> module; it can also establish a <strong>backdoor<\/strong> to permit the attacker to deploy additional malicious <em>payloads<\/em>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/06\/image-11.png\" alt=\"\" class=\"wp-image-2672\" loading=\"lazy\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Detected samples establish a connection to IP address <strong>63.141.228[.]141<\/strong>. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/06\/image-12.png\" alt=\"\" class=\"wp-image-2674\" loading=\"lazy\" \/><\/figure>\n\n\n\n<p style=\"text-align: justify\">In other cases, a DNS query is executed for the domain <strong>manvim[.]co<\/strong>, resolved to IP address <strong>35.193.27[.]228<\/strong> (registered 2021-05-04). Analysis of such infrastructure patterns through <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> sources reveals consistent command-and-control behaviour across multiple LokiBot variants.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">IOC<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>ZIP Attachment:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> MD5            7dcd5b2527962fffbfb47aaafd8017cf<\/li><li> SHA-1        7acc748b915a7c2e0dd6f89bc35653477d3f8ea5<\/li><li> SHA-256        7804087ee95b9c0f488db921f24e4aa69df6ee10189d1399fe7dfb8383b1c6f5<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong> ISO Image: <\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> MD5            c35c0bc696ba1a1f1a843ce6d4a63818<\/li><li> SHA-1        8cf0ff7c7f6635d6fe116b30ddd78aca14a35851<\/li><li> SHA-256        12eed57e3431669c9b53a3ac1a556617df0894b078cd0227cfebc15e9e67df8f<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong> Executable: <\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> MD5            e54937c7d7e2cac41541e6a416c9cb90<\/li><li> SHA-1        1c43eae1d54d7d242ccd223b6b23a6a4fa21a8a3<\/li><li> SHA-256        0c4efefcd2850c9764e65fb0f5a084573dfb65c7103b4513781c02e06e21c83a<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Additional Executables:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>SHA-256 3e56d9df1d14f5758330600d1d2fd098a173842fae0447bdf8e6d97a4d2c7162 <\/li><li> SHA-256   254de372db20f35fb440552d22068d975bfb6fafd7902d2826318033b01428a8<\/li><li> SHA-256 ced5590738ce4d32f26c917992c21656c60a5ed3a2fffb02beb5b09b1d5d626f<\/li><li> SHA-256 1eb22488631a731f6fc27ad209f386b8b0aa6181016badff86ee36bc2e42a256<\/li><li> SHA-256 c252af943c2c85f2c3dfcbca5d16877d61aca44d462f088a4a8baacacf59a3ae<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Contacted Addresses:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> manvim[.]co <\/li><li> 35.193.27[.]228 <\/li><li> 63.141.228[.]141 <\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>LokiBot campaign of 21 June 2021: lure templates, dropper chain, exfiltration channels and IOC indicators across the latest waves.<\/p>\n","protected":false},"author":1,"featured_media":2687,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[17,3212,3320,198,205,3240,212,219,350],"class_list":["post-2664","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-35-193-27-228","tag-information-stealer","tag-june-2021","tag-keylogger","tag-lokibot","tag-malspam-campaign","tag-malware","tag-manvim-co","tag-threat"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2664","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2664"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2664\/revisions"}],"predecessor-version":[{"id":9914,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2664\/revisions\/9914"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2664"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2664"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2664"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}