LokiBot makes comeback in malspam campaign targeting US manufacturing company

• The email appeared to come from a potentially compromised ‘trusted’ sender - originating from the IP address 23.83.133.8 - and requested a quotation.
• The attachment came in the form of the #RFQE67Y54.7z file and actually included the LokiBot.

A new malspam campaign targeting a large U.S. manufacturing company has been observed lately. The campaign was used to distribute the infamous LokiBot trojan that is capable of stealing sensitive information.

How did the attack occur?

Discovered by researchers from Fortinet, the campaign involved attackers sending a spam email to the sales department of the organization.

• The email appeared to come from a potentially compromised ‘trusted’ sender - originating from the IP address 23.83.133.8 - and requested a quotation.
• The email has been written in a simple language by a non-native English speaker. In order to create a sense of urgency, it asked the recipient to open the attachment as the sender’s colleague is currently out of the office and to provide further clarification about the matter.
• The attachment came in the form of #RFQE67Y54.7z file which actually contained the LokiBot.

What are the capabilities?

Once the target unzipped the attached archive, the system got infected with LokiBot trojan. When it successfully compromised its victims’ computers, LokiBot harvested a variety of sensitive information and sent it to its operator’s C2 server as part of an HTTP POST request.

"LokiBot steals a variety of credentials – primarily FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials," added the researchers.

Bottom line

Upon a closer look, researchers uncovered that a particular IP address appears to have been used twice prior to this malspam campaign. It is linked to the attacks that occurred in June. The attack had affected the customers of a large German Bakery.