{"id":2970,"date":"2021-07-26T12:17:45","date_gmt":"2021-07-26T10:17:45","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2970"},"modified":"2026-06-08T22:56:12","modified_gmt":"2026-06-08T22:56:12","slug":"lokibot-campaign-update-july-2021","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/lokibot-campaign-update-july-2021\/","title":{"rendered":"LokiBot campaign \u2014 update of 26 July 2021"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In the past week, a <strong>phishing<\/strong> campaign targeting Italy has been detected. <br>The email subject line reads &#8220;RE: Purchase order-12034428 HANG TAG ARTWORK&#8221;; the attachment contains an <strong>xlsx<\/strong> file that, when opened, contacts a domain from which it downloads a <strong>LokiBot<\/strong> sample in exe format.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/Immagine.png\" alt=\"Immagine\" class=\"wp-image-2980\" width=\"588\" height=\"482\" loading=\"lazy\" \/><figcaption>Source: <a href=\"https:\/\/twitter.com\/JAMESWT_MHT\/status\/1419546903239348226\/photo\/1\">JAMESWT (@JAMESWT_MHT) \/ Twitter<\/a> <\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The <strong>dropper<\/strong> xlsx exploits <strong>CVE-2017-11882<\/strong> (<a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a>), which permits arbitrary code execution. In this instance, the Microsoft Equation Editor process (EQNEDT32.EXE) is leveraged to contact <strong>http:\/\/weddingstory[.]gr\/linto\/vulinko[.]exe<\/strong>, download the <strong>LokiBot<\/strong> sample to &#8220;\\AppData\\Roaming\\gtyhyz.exe&#8221;, and execute it.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/image-20-1024x643.png\" alt=\"\" class=\"wp-image-2977\" width=\"586\" height=\"368\" loading=\"lazy\" \/><figcaption>Source: <a href=\"https:\/\/app.any.run\/tasks\/d70d7aa3-40ba-4cae-913c-2d608dd611c2\/\">PTTXSAMPLEXANDXPO.xlsx (MD5: A4025253BAA6223DD98E753812AC621C) &#8211; Interactive analysis &#8211; ANY.RUN<\/a> <\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The malware is an <strong>infostealer and RAT<\/strong> capable of harvesting user credentials and establishing a <strong>backdoor<\/strong> to permit the attacker to deploy additional malicious payloads. <br>For instance, it exfiltrates credentials stored in browsers: AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\qldyz51w.default\\pkcs11.txt.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This information is subsequently transmitted to the Command and Control (C2) server, identified as <strong>lushbb[.]xyz<\/strong> at IP address <strong>104[.]21[.]51[.]229<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Static Analysis<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">File xlsx<\/h3>\n\n\n\n<h5 class=\"wp-block-heading\">Tag<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\"><mark><span style=\"color:#ffffff\" class=\"tadv-color\"><span style=\"background-color:#e91e63\" class=\"tadv-background-color\">Dropper<\/span><\/span><\/mark><\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Details<\/h5>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"\"><tbody><tr><td><strong>md5<\/strong><\/td><td>A4025253BAA6223DD98E753812AC621C<\/td><\/tr><tr><td><strong>sha1<\/strong><\/td><td>01E842B2443B1ACD25D6D65595C4D3F9339654D9<\/td><\/tr><tr><td><strong>sha256<\/strong><\/td><td>DA3F3359E2448D36BDD8B0EBDF074FB608F8BE4FC9D996FAEAD58E6B6D819E67<\/td><\/tr><tr><td><strong>file-size<\/strong>&nbsp;<\/td><td>768 644 (bytes)<\/td><\/tr><tr><td><strong>entropy&nbsp;<\/strong><\/td><td>7.998<\/td><\/tr><tr><td><strong>Virustotal <\/strong><\/td><td> score 29\/62<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h5 class=\"wp-block-heading\">Description<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">Email attachment exploiting <strong>CVE-2017-11882<\/strong> to download and execute the LokiBot sample.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"> vulinko.exe <\/h3>\n\n\n\n<h5 class=\"wp-block-heading\">Tag<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\"> <span style=\"color:#ffffff\" class=\"tadv-color\"><span style=\"background-color:#e91e63\" class=\"tadv-background-color\">LokiBot<\/span><\/span><\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Details<\/h5>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"\"><tbody><tr><td><strong>md5<\/strong><\/td><td>A4025253BAA6223DD98E753812AC621C<\/td><\/tr><tr><td><strong>sha1<\/strong><\/td><td>01E842B2443B1ACD25D6D65595C4D3F9339654D9<\/td><\/tr><tr><td><strong>sha256<\/strong><\/td><td>DA3F3359E2448D36BDD8B0EBDF074FB608F8BE4FC9D996FAEAD58E6B6D819E67<\/td><\/tr><tr><td><strong>file-size<\/strong><\/td><td>768 644 (bytes)<\/td><\/tr><tr><td><strong>entropy<\/strong><\/td><td>7.998<\/td><\/tr><tr><td><strong>imphash<\/strong><\/td><td>2BD8836AD04E575E33CBFFF8CBA9F900<\/td><\/tr><tr><td><strong>Virustotal<\/strong><\/td><td>score 28\/70<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Description<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>LokiBot<\/strong> sample performing data exfiltration and communicating with the C2 server at address <strong>104[.]21[.]51[.]229<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IOCs<\/h2>\n\n\n\n<h5 class=\"wp-block-heading\"> PTTXSAMPLEXANDXPO.xlsx<\/h5>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>SHA256<\/strong>&nbsp;DA3F3359E2448D36BDD8B0EBDF074FB608F8BE4FC9D996FAEAD58E6B6D819E67&nbsp;&nbsp;<\/li><li><strong>SHA1&nbsp;<\/strong>01E842B2443B1ACD25D6D65595C4D3F9339654D9&nbsp;&nbsp;<\/li><li><strong>MD5&nbsp;<\/strong>A4025253BAA6223DD98E753812AC621C&nbsp;<\/li><\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">Downloaded Executable (LokiBot)<\/h5>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>SHA256&nbsp;<\/strong>3353C2EA708D348C56FACAAB5C7AEBB5A2EC6C820D076D25DC41F30FAC712F6D&nbsp;<\/li><\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">Network Activity<\/h5>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Dropper <\/strong><ul><li>weddingstory[.]gr&nbsp;&nbsp; <\/li><li>51[.]15[.]17[.]195 <\/li><\/ul><\/li><li><strong>C2 <\/strong><ul><li>lushbb[.]xyz&nbsp; <\/li><li>104[.]21[.]51[.]229 <\/li><\/ul><\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Phishing campaigns leveraging CVE-2017-11882 through Office documents remain a persistent delivery vector for infostealer malware; defenders must maintain vigilance against email-borne threats employing equation editor exploitation and implement application whitelisting to restrict arbitrary code execution.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>LokiBot campaign update: lure templates, payload delivery patterns, info-stealer capabilities and indicators across the latest waves observed in July 2021.<\/p>\n","protected":false},"author":1,"featured_media":2980,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3094,3212,205,3240],"class_list":["post-2970","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-credential-theft","tag-information-stealer","tag-lokibot","tag-malspam-campaign"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2970","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2970"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2970\/revisions"}],"predecessor-version":[{"id":9885,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2970\/revisions\/9885"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2970"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2970"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2970"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}