A tweet last week by @malwareunicorn reminded me I haven't searched out any Loki-Bot malspam in a while.
Loki-Bot (also spelled "Loki Bot" or "LokiBot") is an information stealer that sends login credentials and other sensitive data from an infected Windows host to a server established for each malware sample. It's commonly distributed through malicious spam (malspam), and I usually run across samples of Loki-Bot every day. More information can be found in a SANS Reading Room paper written by Rob Pantazopoulos here.
I've already written two ISC diaries on Loki-Bot since October 2017 (here and here). Today's diary is a reminder that Loki-Bot is very much alive and actively distributed through malspam on a daily basis. You'll frequently find tweets tagged #Lokibot on Twitter.
I often find examples of Loki-Bot malspam through VirusTotal Intelligence. A quick search revealed one such email in the early hours of Monday 2018-06-11 (UTC time). It was heavily sanitized, so there's little information other than the date, sender, subject line, and attachment.
The email has an RTF attachment disguised as a Word document. When opened with a vulnerable version of Microsoft Office, an exploit for CVE-2017-11882 will download and install Loki-Bot malware on a vulnerable Windows host. In this case, a request for the Loki-Bot executable was done over HTTPS. Approximately two minutes later, the infected Windows host began generating post-infection HTTP traffic associated with Loki-Bot.
Indicators are not the same as a block list. If you need to block the associated web traffic, block anything going to these two domains:
Information from the malicious spam:
Traffic from an infected Windows host:
As usual, properly-administered and up-to-date Windows hosts are not likely to get infected. System administrators and the technically inclined can also implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.
Pcap and malware samples for today's diary can be found here.
Jun 11th 2018
6 months ago
And just for fun, I looked them up (today as in 6/12) in WebSense/ForcePoint, both websites showed up in the "Newly Registered" category.
Jun 12th 2018
6 months ago