Kevin Stear

Malspam Delivers Lokibot 6-21-2017

Blog Post created by Kevin Stear Employee on Jun 22, 2017

Malspam campaign activity was noted yesterday, June 22nd, 2017, and was delivering Lokibot.  Malicious attachment "Quotation.doc" (probably generated by AKbuilder) was noted in sample attachments, which attempts to exploit CVE-2012-0158 and then download its payload from nioustech[.]com, hosted on 143[.]95[.]230[.]12.


lokibot delivery


lokibot delivery


Lokibot is a commodity info-stealer that creates a registry entry and then attempts to steal credentials (e.g., ssh, ftp, email, browser, etc) and even log keystrokes.  In the case that infection occurs, exfil has been observed out to [RANDOM URL]/fre.php.  


'What's This File' (WTF) analysis of our lokibot payload reveals some oddities from static analysis, including a number of blank file property fields (as shown below) and indication that this is a recently compiled file.                       


WTF lokibot


As far as NetWitness packet detection, Lokibot  exhibits several generically inherently malicious file characteristics, which are flagged in the NetWitness 10.6.3 screenshot below.


lokibot nw detection


Readers may want to also reference recent FirstWatch work on Dyzap, which is commonly observed in the same or related campaigns.