Newly Discovered Infostealer Attack Uses LokiBot

The FortiGuard Labs SE team identified a new malicious spam campaign on August 21^st,, which we discovered after an analysis of information initially found on VirusTotal. It targeted a large US manufacturing company utilizing the well documented infostealer LokiBot. Interestingly enough, this also has a compilation date of August 21^st, which is the same day we discovered the malspam campaign.

Campaign Details

The campaign consists of a spam email that had been sent to the sales email address of the recipients, possibly from a compromised trusted sender, originating from the IP address of [23.83.133.8]. 

The spam email is simple in appearance, and contains simple language that appears to be written by a non-native English speaker that states, “Please see ‘attache’”, which appears to be an “RFQ” or a “request for quotation.” The spam email then encourages the user to open the attachment as the senders’ colleague is currently out of office, and at the same time offers the potential victim some assurance that he/she can provide further clarification of the contents within the document if needed.

However, unbeknownst to the user, the #RFQE67Y54.7z file [SHA256: 176C61B6220854995AF271F3BA82BBD7960AACC20E070A3476D8FBAC5AB0C2D8 – detected as: Malicious_Behavior.SB] is not a request for quotation, and once unzipped, it is the infamous infostealer found on various underground forums, LokiBot. [SHA256: 691c65e4fb1d19f82465df1d34ad51aaeceba14a78167262dc7b2840a6a6aa87 - detected as: W32/Windigo.ABV]

Shared Space – Previous attacks and possible spam relay?

Digging a little further by investigating the IP address [23.83.133.8], it appears that this IP is registered to LeaseWeb USA, Inc. a webhosting provider in Phoenix, Arizona. During our investigation, we did not find any significant activity behind this IP address, and historical archives in VirusTotal and our data show that attacks originating from this IP address are new, seen most recently within the past two months.

This particular IP address appears to have been used twice before in malicious spam attacks that occurred several months earlier, in June, attacking a large German Bakery in a malicious spam attack trying to lure a victim into downloading an electronic invoice.

Although the German Bakery attack email was in Chinese, as was the attachment – which was an RTF file which referenced a potentially compromised URL (deepaklab[.]com), that likely contained the malicious payload – the URL has been cleaned up and no longer serves up any content that we can analyze. It can be assumed that this may be another delivery mechanism for LokiBot, as it has been documented in the past utilizing RTF distribution vectors. But again, we are unable to draw any conclusions due to the lack of information available at the time of publication. Analyzing further insight from our own telemetry, we were able to observe a rather large spike in visits, specifically on the date of June 17, which correlates with the time stamp of this suspicious campaign, as well as telemetry from German visitors.

To connect the dots – this is interesting, because the German attack is consistent with our own telemetry – the United States, Germany, and Japan rounded off the top three countries targeted by LokiBot, with the United States at 56%, Germany with 22%, and Japan at >1%, respectively. We also observed a large spike starting on June 17^th for the German Baker attack, and again on August 21^st for the U.S. semiconductor distributor – which is the same time we came across this newly identified campaign, further confirming our observations.

Because of the differences in emails (both in language and attack template), and because we couldn’t identify the payload being served in the June attack, we can only assume that this IP address is a newly identified spam relay that may either be used indiscriminately or in targeted attacks with LokiBot or some other unidentified malware. Because of the low volume identified, it appears that this IP address may be under the control of one group, and possibly only being used for very targeted attacks. However, we can only assume this – time will provide a better historical snapshot of campaigns using this IP address.

Finally, one loose connection observed from this IP address through historical DNS records was that in the past the Chinese site ccltyo.com, which appears to be some clickspam website, was hosted on this [23.83.133.8] IP address back in June of 2013. Although this domain exhibits some suspicious behavior, as well as utilizing dynamic DNS similar to campaigns we’ve seen in the past for various threat actors, especially in China, there is not a smoking gun from OSINT or our own telemetry that can correlate this latest campaign to a specific threat actor group.

Attack Description

The attack is pretty straightforward. The LokiBot sample [SHA256: 691c65e4fb1d19f82465df1d34ad51aaeceba14a78167262dc7b2840a6a6aa87] has a file size of 286 KB and was recently compiled on Aug 21, which is coincidentally the same date as when the malicious spam was sent. The file is curiously named Dora Explorer Games, which is in reference to the children’s’ TV heroine from the show “Dora The Explorer”; however, we don’t know if this file info was put in there as a distraction or for reasons unknown to us, as it doesn’t make sense to have such a file name targeting a military and government-based contractor. 

Of course, the file is not a game, but is the infamous LokiBot infostealer, which is one of the most popular infostealers in recent memory due to its ease of use and effectiveness. LokiBot steals a variety of credentials – primarily FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials. LokiBot is distributed in various forms, and has been seen in the past being distributed in zipped files along with malicious macros in Microsoft Word and Excel, or leveraging the exploit CVE-2017-11882 (Office Equation Editor) via malicious RTF files, which is similar to the attack example above that targeted the German bakery (however, minus the use of a known exploit.)

As LokiBot is already well documented and covered in various blogs, including ones from Fortinet, we will only highlight the unique characteristics observed in this specific sample.

The file creates a directory %appdata%\[6 random hex chars]
    It will then:

            add attribute FILE_ATTRIBUTE_HIDDEN
            add attribute FILE_ATTRIBUTE_SYSTEM
            add attribute FILE_NOT_CONTENT_INDEXED

    copies itself to %appdata%\[6 random hex chars]\[6 different random hex chars]\.exe

             add attribute FILE_ATTRIBUTE_HIDDEN
             add attribute FILE_ATTRIBUTE_SYSTEM
             add attribute FILE_NOT_CONTENT_INDEXED

create mutex: 2B1733F511B2DFE5171B9AA1

Once these changes are made, it then deletes itself.

Ultimately, it will connect via POST:
             hxxp://palikyu.ml/alpha/fre.php
             104.31.95.221 (aug 22, 2019 CloudFare Inc.)

Palikyu.ml and Palikyu.tk

Another interesting behavior to note is that the domain contacts Palikyu.ml – specifically, hxxp://palikyu.ml/alpha/fre.php (104.31.95.221). The TLD for ML is Mali, and the domain is registered using the POINT ML (via partnership with Freenom) registrar, which offers free domains and free anonymous registrations. To make matters worse, attribution is difficult because the domain (and IP address) are hosted using CloudFare, which anonymizes the originating IP address. Which means we don’t even know where the site is hosted, nor can we begin the attribution process to link it to previous campaigns.  Unfortunately, the attacker has stuck to effectively hiding their origins using OPSEC practices that have allowed them to remain anonymous. We tried several known techniques to expose any mistakes that would lead us to identifying the possible attacker behind this domain, to no avail. Only a law enforcement court order or insider tip could effectively provide further information.  

Furthermore, we also observed an additional domain, palikyu.tk, which was also registered with FreeNom. A DIG on the domain revealed that either an IP address has not yet been assigned, or a record for this domain does not exist, suggesting that the attacker is reserving the palikyu.tk variant for another use currently unknown to us. It appears that FreeNom does not reveal the registration dates of domains, so additional identifying information is not available to correlate when these domains were registered. We can only surmise that these two are related as they are the only two domains in existence with the string “palkiyu” in it. Another final observation noted was that this particular sample did not use any steganography as past variants were seen doing. 

Technical Details

#RFQE67Y54.7z (detected as: Malicious_Behavior.SB)

• Size: 239849 bytes
• MD5: 25e40e305dcf16f0da3b3656d9702fc7
• SHA256: 176C61B6220854995AF271F3BA82BBD7960AACC20E070A3476D8FBAC5AB0C2D8
• Date First Seen:  2019-08-21 13:12:11
• Malicious Spam Attachment

#RFQE67Y54.exe (detected as: W32/Windigo.ABV)

• Size: 292864 bytes
• MD5: c0ea9e012f42d48a75daa80cc4c72004
• SHA256: 691c65e4fb1d19f82465df1d34ad51aaeceba14a78167262dc7b2840a6a6aa87
• Date of Compilation:2019-08-21 12:37:37
• LokiBot attached within 7z file
• Contacts Palikyu.ml (blacklisted by WF client)

ATT&CK TTP Summary

Initial Access

T1193: Spearphishing Attachment
RFQE67Y54.7z file
SHA256:176C61B6220854995AF271F3BA82BBD7960AACC20E070A3476D8FBAC5AB0C2D8

Execution 

T1204: User Execution - File is unzipped and executed by user via deception (LokiBot)

Defense Evasion

T1107: File Deletion - deletes original file after infection
T1158: Hidden Files and Directories - creates custom directory %appdata%\[6 random hex chars] with the following attributes

• FILE_ATTRIBUTE_HIDDEN
• FILE_ATTRIBUTE_SYSTEM
• FILE_NOT_CONTENT_INDEXED

+ moves self to %appdata%\[6 random hex chars]\[6 different random hex chars].exe with the following attributes:

• FILE_ATTRIBUTE_HIDDEN
• FILE_ATTRIBUTE_SYSTEM
• FILE_NOT_CONTENT_INDEXED

T1045: Software Packing - threat comes packed/encrypted

Credentials Access

T1003: Credential Dumping
Windows Credential Vault
T1081: Credentials in Files
Threat tries to steal credentials from various software programs
T1214: Credentials in Registry
Threat tries to steal credentials from various software programs

Collection

T1005: Data from Local System
Threat tries to steal credentials from various software programs

Exfiltration

T1002: Data Compressed
Threat compresses stolen data before sending it over to URL

Command and Control

T1043: Commonly Used Port
Threat uses port 80 for communications (hxxp://palikyu.ml/alpha/fre.php)
T1071: Standard Application Layer Protocol
Threat uses standard HTTP over port 80 (hxxp://palikyu.ml/alpha/fre.php)

Known Defenses and Mitigations

Initial Access: FortiMail or other mail solutions can be used to block specific file types. FortiMail can also be configured to send attachments to our FortiSandbox solution (ATP), either on premises or in the cloud, to determine if a file displays malicious behavior. FortiGate firewalls with Anti-Virus enabled alongside a valid subscription will detect and block this threat if configured to do so.

Execution: User Awareness Training – Since it has been reported that this threat has been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization are made aware of various types of attacks delivered via social engineering. This can be accomplished through regularly-occurring training sessions and impromptu tests using predetermined templates by internal security departments within an organization. Simple user awareness training on how to spot emails with malicious attachments or links could stop the initial access into the network.  If user awareness training fails and the user opens the attachment or link, FortiClient running with the latest up-to-date virus signatures will detect and block this file and associated files. The file(s) in this attack are currently being detected as:

W32/Windigo.ABV
Malicious_Behavior.SB

Exfiltration & C&C: A FortiGate located at each of your ingress and egress points with its Web Filtering service enabled with up-to-date definitions, and or Botnet Security enabled will detect and block any observable outbound connections if configured correctly.

It is important to note that as attacks continue to become more sophisticated they can sometimes circumvent your security defenses for a number of reasons. This is why it is important to ensure you also have the ability to detect anomalous activity that could be malicious.

Lastly, our Enterprise Bundle will address this attack as well as others.  Our Enterprise Bundle consolidates all the cyber security services you need to protect and defend against all cyberattack channels, from the endpoint to the cloud, including IoT devices, providing you with the integrated defense you need to tackle today’s advanced threats and address today's challenging risk, compliance, management, visibility, and Operational Security (OT) concerns.

All network IOC’s in this report are blacklisted by the FortiGuard Web Filtering service. 

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly FortiGuard Threat Brief. 

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.