{"id":2664,"date":"2021-06-21T11:03:42","date_gmt":"2021-06-21T09:03:42","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2664"},"modified":"2021-06-21T11:03:42","modified_gmt":"2021-06-21T09:03:42","slug":"campagna-lokibot-21-06-2021","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/cyber-security-news\/campagna-lokibot-21-06-2021\/","title":{"rendered":"Campagna LokiBot: aggiornamenti del 21-06-2021"},"content":{"rendered":"\n<p style=\"text-align: justify\">Nelle ultime settimane \u00e8 stata rilevata una campagna di <strong>Pishing<\/strong> nei confronti di indirizzi e-mail di utenze italiane.<br>Le mail vengono inviate da degli esercizi commerciali italiani inesistenti utilizzando l&#8217;indirizzo <strong>info@it0b[.]xys<\/strong> con oggetto &#8220;<strong>INVIO FATTURA DOC_768 NOME AZIENDA<\/strong>&#8220;.<\/p>\n<p style=\"text-align: justify\">Il corpo della mail risulta essere scritto in italiano e contiene in allegato un file ZIP con lo stesso nome dell&#8217;oggetto.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/06\/loki-1024x671.png\" alt=\"\" class=\"wp-image-2687\" loading=\"lazy\" \/><figcaption>Da: <a href=\"https:\/\/csirt.gov.it\/contenuti\/email-di-phishing-invio-fattura-doc_-veicola-lokibot-al03-210618-csirt-ita\">Email di phishing &#8220;INVIO FATTURA DOC_&#8221; veicola LokiBot (AL03\/210618\/CSIRT-ITA) &#8211; CSIRT italiano<\/a> <\/figcaption><\/figure>\n\n\n\n<p style=\"text-align: justify\">All&#8217;interno del file ZIP \u00e8 presente un file ISO contenente un file EXE che risulta essere <strong>LokiBot<\/strong>.<\/p>\n\n\n\n<p style=\"text-align: justify\">Il malware \u00e8 un <strong>Infostealer e RAT <\/strong>che pu\u00f2 rubare le credenziali degli utenti attraverso modulo <strong>Keylogger<\/strong>; pu\u00f2 anche aprire una <strong>backdoor&nbsp; <\/strong>per permettere all&#8217;attaccante di installare altri <em>payload<\/em> malevoli.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/06\/image-11.png\" alt=\"\" class=\"wp-image-2672\" loading=\"lazy\" \/><\/figure>\n\n\n\n<p>I sample rilevati instaurano una connessione con l&#8217;indirizzo IP <strong>63.141.228[.]141<\/strong>. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/06\/image-12.png\" alt=\"\" class=\"wp-image-2674\" loading=\"lazy\" \/><\/figure>\n\n\n\n<p style=\"text-align: justify\">In altri casi invece viene eseguita una chiamata DNS per il dominio <strong>manvim[.]co<\/strong>, risolto con l&#8217;IP <strong>35.193.27[.]228 <\/strong>(registrato il 2021-05-04).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">IOC<\/h3>\n\n\n\n<p><strong>Allegato ZIP:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> MD5            7dcd5b2527962fffbfb47aaafd8017cf<\/li><li> SHA-1        7acc748b915a7c2e0dd6f89bc35653477d3f8ea5<\/li><li> SHA-256        7804087ee95b9c0f488db921f24e4aa69df6ee10189d1399fe7dfb8383b1c6f5<\/li><\/ul>\n\n\n\n<p><strong> Immagine ISO: <\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> MD5            c35c0bc696ba1a1f1a843ce6d4a63818<\/li><li> SHA-1        8cf0ff7c7f6635d6fe116b30ddd78aca14a35851<\/li><li> SHA-256        12eed57e3431669c9b53a3ac1a556617df0894b078cd0227cfebc15e9e67df8f<\/li><\/ul>\n\n\n\n<p><strong> Eseguibile: <\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> MD5            e54937c7d7e2cac41541e6a416c9cb90<\/li><li> SHA-1        1c43eae1d54d7d242ccd223b6b23a6a4fa21a8a3<\/li><li> SHA-256        0c4efefcd2850c9764e65fb0f5a084573dfb65c7103b4513781c02e06e21c83a<\/li><\/ul>\n\n\n\n<p><strong>Altri eseguibili:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>SHA-256 3e56d9df1d14f5758330600d1d2fd098a173842fae0447bdf8e6d97a4d2c7162 <\/li><li> SHA-256   254de372db20f35fb440552d22068d975bfb6fafd7902d2826318033b01428a8<\/li><li> SHA-256 ced5590738ce4d32f26c917992c21656c60a5ed3a2fffb02beb5b09b1d5d626f<\/li><li> SHA-256 1eb22488631a731f6fc27ad209f386b8b0aa6181016badff86ee36bc2e42a256<\/li><li> SHA-256 c252af943c2c85f2c3dfcbca5d16877d61aca44d462f088a4a8baacacf59a3ae<\/li><\/ul>\n\n\n\n<p><strong>Indirizzi contattati:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> manvim[.]co <\/li><li> 35.193.27[.]228 <\/li><li> 63.141.228[.]141 <\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>I sample rilevati instaurano una connessione con l&#8217;indirizzo IP 63.141.228[.]141. IOC Allegato ZIP: MD5 7dcd5b2527962fffbfb47aaafd8017cf SHA-1 7acc748b915a7c2e0dd6f89bc35653477d3f8ea5 SHA-256 7804087ee95b9c0f488db921f24e4aa69df6ee10189d1399fe7dfb8383b1c6f5 Immagine ISO: MD5 c35c0bc696ba1a1f1a843ce6d4a63818 SHA-1 8cf0ff7c7f6635d6fe116b30ddd78aca14a35851 SHA-256 12eed57e3431669c9b53a3ac1a556617df0894b078cd0227cfebc15e9e67df8f Eseguibile: MD5 e54937c7d7e2cac41541e6a416c9cb90 SHA-1 1c43eae1d54d7d242ccd223b6b23a6a4fa21a8a3 SHA-256 0c4efefcd2850c9764e65fb0f5a084573dfb65c7103b4513781c02e06e21c83a Altri eseguibili: SHA-256 3e56d9df1d14f5758330600d1d2fd098a173842fae0447bdf8e6d97a4d2c7162 SHA-256 254de372db20f35fb440552d22068d975bfb6fafd7902d2826318033b01428a8 SHA-256 ced5590738ce4d32f26c917992c21656c60a5ed3a2fffb02beb5b09b1d5d626f SHA-256 1eb22488631a731f6fc27ad209f386b8b0aa6181016badff86ee36bc2e42a256 SHA-256 c252af943c2c85f2c3dfcbca5d16877d61aca44d462f088a4a8baacacf59a3ae Indirizzi contattati: manvim[.]co 35.193.27[.]228 63.141.228[.]141<\/p>\n","protected":false},"author":1,"featured_media":2687,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[17,198,205,212,219,350],"class_list":["post-2664","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-security-news","tag-35-193-27-228","tag-keylogger","tag-lokibot","tag-malware","tag-manvim-co","tag-threat"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2664","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2664"}],"version-history":[{"count":0,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2664\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2664"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2664"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2664"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}