I've frequently seen malicious spam pushing Lokibot (also spelled "Loki-Bot") since 2017. This year, I've written diaries about it in February 2018 and June 2018. I most recently posted an example to my blog on 2018-11-26. This type of malicious spam shows no signs of stopping, so here's a quick diary covering an example from Monday 2018-12-03.
Templates for malicious spam pushing Lokibot vary, and the example from Monday 2018-12-03 was disguised as a purchase quotation. The email contained an Excel spreadsheet with a macro designed to infect vulnerable Windows hosts with Lokibot malware. Potential victims need to click through warnings, so this is not an especially stealthy method of infection.
A macro from the Excel spreadsheet retrieved Lokibot malware using HTTPS from a URL at a.doko[.]moe. I used Fiddler to monitor the HTTPS traffic and determine the URL. The HTTPS request to a.doko[.]moe had no User-Agent string. If you use curl to retrieve the binary, you must use the -H option to exclude the User-Agent line from your HTTPS request.
Forensics on the infected host
The infected Windows host made Lokibot persistent through a Windows registry update. This registry update was quite similar to previous Lokibot infections I've generated in my lab environment. In this example, the infected host also had a VBS file in the Windows menu Startup folder. This pointed to another copy of the Lokibot malware executable; however, that executable had deleted itself during the infection. The only existing Lokibot executable was in the directory path listed in the associated Windows registry entry.
The following are indicators from an infected Windows host. Any URLs, IP addresses, and domain names have been "de-fanged" to avoid any issues when viewing today's diary.
Traffic from an infected windows host:
Malware from an infected windows host:
Email, pcap, and malware for the infection can be found here.
Dec 4th 2018
5 days ago