Lokibot Malware Disguised as Phishing E-mail Requesting for Estimate

ASEC analysis team has discovered the distribution of Lokibot malware disguised as an estimate request e-mail. Lokibot malware has been distributed continually over several years, and a closer look at the weekly malware statistics uploaded to the ASEC blog reveals the fact that Lokibot consistently remained high on the weekly statistics list.

The recently-discovered Lokibot malware is being distributed as an attachment file within the phishing mail, and its notable characteristic is the CAB/LZH archive file format.

The e-mail is very basic in what it delivers, but the name of the companies including the sender of the e-mail is real, therefore the people working in the related industry may open the attachment file without a second thought.

The behavior it exhibits upon its download and execution is not that much different from the known info-stealer type malware. It self-replicates the file, adds it to the scheduler (schtasks.exe), steals web browser and FTP account info along with settings file, and sends them to C2. All these are a typical info-stealer behavior.

Figure 1. Result of analysis by AhnLab malware auto-analysis infrastructure (RAPIT) (1)
Figure 2. Result of analysis by AhnLab malware auto-analysis infrastructure (RAPIT) (2)

The team executed the malware in RAPIT system and confirmed its attempt to steal settings information of the FTP program and the account information of the web browser.

Seeing how the malware is being distributed via social engineering technique shown above, users must take extra caution when dealing with attachment e-mails. Also, users must refrain from running attachment files that take a form of an executable file even if they are related to their task, and put in effort update the anti-malware software to the latest version and maintain it.

Users can set V3 to detect compressed files from the scan option so that it can detect malware compressed into CAB/LZH archive files.

V3 detects and blocks the above malware using the aliases below:

[File Detection]

  • Infostealer/Win.Generic.R415653
  • Malware/Win.Generic.C4415523

[Relevant IOC info]

  • C2: hxxp://104.168.140[.]79/ghost/fre.php
  • Hash: bebf9fe03f112b3d56973f0dd4701848
5 1 vote
Article Rating
Inline Feedbacks
View all comments