Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Thu, Oct 19th):Baselining Servers;

Latest Diaries

HSBC-themed malspam uses ISO attachments to push Loki Bot malware

Published: 2017-10-19
Last Updated: 2017-10-19 01:01:31 UTC
by Brad Duncan (Version: 1)
0 comment(s)


ISO files are a format used for optical disk images like CD-ROMs or DVDs.  Criminals sometimes use ISO files as attachments in malicious spam (malspam) to distribute malware.  Here and here are two recent examples.  On Wednesday 2017-10-18, I came across HSBC-themed malspam using this technique to distribute Loki Bot, an information stealer.

The malspam was easily detected by an enterprise-level security solution, so I'm not sure this technique is more effective than other methods.  However, even if it's ineffective, we should be aware of current mass-distribution methods.  With that in mind, today's diary examines Wednesday's Loki Bot malspam.

Shown above:  Flow chart for today's infection.

The emails

I found eight emails in this wave of malspam.  They all had the same subject line, spoofed sending address, message text, and email attachment.  These emails all came from, a Netherlands-based IP address registered to a hosting provider named  The domain is legitimate and hosted on a different IP registered to HSBC, so it's being spoofed in the email headers.

Shown above:  Some emails from this wave of malspam on Wednesday 2017-10-18.

Shown above:  Screen shot from one of the emails.

The attachment

The attachment was an ISO file, which I copied to a Windows 10 host in my lab.  Double-clicking the ISO file revealed a Windows executable file.  Victims who receive this file from email would likely see a warning if they try to open it.  The Windows executable was Loki Bot malware.  Double-clicking the executable infected my Windows 10 host.

Shown above:  The ISO file on a Windows 10 desktop.

Shown above:  Windows executable file extracted from the ISO.

Network traffic

Post-infection traffic consisted of a single HTTP POST request continually repeated from the infected host.  The User-Agent string and other characteristics are somewhat unusual and easily identifiable.

Shown above:  Traffic from an infection filtered in Wireshark.

Shown above:  One of the HTTP POST requests from an infected host.

Shown above:  Alerts seen using the Snort subscriber ruleset on Snort 2.9.11.

Shown above:  Alerts seen using the Emerging Threats (ET) pro ruleset on Security Onion running Suricata.

Post-infection forensics

The infected host had artifacts commonly associated with Loki Bot, such as a Windows registry key using non-ASCII characters.  The malware moved itself to a hidden folder under the user's AppData\Roaming directory to become persistent.

Shown above:  Windows registry update and the associated malware.


Email information:

  • Date/Time:  Wednesday, 2017-10-18 as early as 05:50 UTC through at least 13:30 UTC
  • Received (domain spoofed):  from ([])
  • From (spoofed):
  • Subject:  HSBC Payment Advice
  • Attachment name:  HSBC Payment Document.iso

Associated malware:

SHA256 hash:  1bff70977da707d4e1346cc11bccd13f3fc535aeeb27c789c2811548c6b7793a

  • File size:  512,000 bytes
  • File name:  HSBC Payment Document.iso
  • File description:  Email attachment - ISO file

SHA256 hash:  9022ed5070226c516c38f612db221d9f73324bb61cd4c4dc5269662c34e7a910

  • File size:  450,560 bytes
  • File name:  HSBC Payment Document.exe
  • File description:  Loki Bot executable extracted from ISO file
  • Post-infection location:  C:\Users\[username]\AppData\Roaming\B06669\996ACC.exe

Post-infection traffic:

  • port 80 - - POST /ask/five/fre.php

Final words

As mentioned earlier, I don't find this malspam any more effective than other wide-scale email-based attacks.  Potential victims still must click through a warning to get infected.  And as always, it's relatively easy to follow best security practices on your Windows computer.  Software Restriction Policies (SRP) or AppLocker can easily prevent these types of malspam-based infections from occurring.

Still, we should keep an eye on our spam filters.  These blocked emails contain a variety of information on active criminal groups using mass-distribution techniques.

Pcap and malware for today's diary can be found here.

Brad Duncan
brad [at]

Keywords: lokibot malspam
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Baselining Servers to Detect Outliers
Oct 18th 2017
1 day ago by Renato (0 comments)

Hancitor malspam uses DDE attack
Oct 17th 2017
2 days ago by Brad (0 comments)

WPA2 "KRACK" Attack
Oct 16th 2017
2 days ago by Johannes (17 comments)

It's in the signature.
Oct 16th 2017
3 days ago by DidierStevens (1 comment)

Peeking into .msg files
Oct 15th 2017
4 days ago by DidierStevens (4 comments)

Version control tools aren't only for Developers
Oct 12th 2017
1 week ago by Xme (5 comments)

View All Diaries →

Latest Discussions

Suggestions needed with industrial networking
created Oct 18th 2017
1 day ago by Anonymous (0 replies)

What's the goal?
created Oct 16th 2017
3 days ago by R (0 replies)

Configure Dshield Sensor honeypot to allow http through port 80?
created Oct 13th 2017
5 days ago by mrtexasfreedom (0 replies)

Live Malware hosting site (research)
created Oct 6th 2017
1 week ago by Anonymous (0 replies)

CVE-2017-5638 probe
created Oct 5th 2017
2 weeks ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
3 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 months ago by Johannes (12 comments)

Maldoc with auto-updated link
Aug 17th 2017
2 months ago by Xme (2 comments)

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
5 months ago by Bojan (6 comments)

Microsoft Patch Tuesday August 2017
Aug 8th 2017
2 months ago by Johannes (6 comments)