Another day and another malware have been found taking advantage of fear around the COVID-19 (also known as the coronavirus) epidemic. This time the malware is a password/info-stealing threat known as Lokibot, spreading via spear-phishing email attacks. The attackers behind this attack campaign were found to be using real images and trademarks of the World Health Organization (WHO) to look legitimate and try to fool the unsuspecting users. The campaign started around March 27 and is still ongoing (through the beginning of April 2020).
Infection Vector of Lokibot Spear-phishing campaign
The attackers were seen sending COVID-19/coronavirus-themed spearphishing emails to their target victims. The emails were sent from 159[.]69[.]16[.]177 and use the World Health Organization (WHO) trademark in an effort to persuade recipients of its authenticity. The email includes the subject line “Coronavirus disease (COVID-19) Important Communication[.]”. The email comes with an attachment named “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC[.]zip[.]arj” that appears to include other information. The text in the email body has various points about infection control and other advice and guidance, which works as a lure to further force the recipient to continue reading. The messaging attempts to address false information associated with COVID-19. However, the document attached in the email looks to be written by someone who is a novice English writer, because many grammar, punctuation, and spelling mistakes are found throughout the email. Additionally, an error was found in their email where they used “Centre” for the “Centre for disease control,” which does not apply with the CDC in the United States, because the CDC uses American spelling (Centers for Disease Control and Prevention), and independent of the WHO. Also, the center is not located in Switzerland, as mentioned in the email.
The attached file “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC[.]zip[.]arj” is compressed with 7-Zip software for creating highly efficient compressed archives. The thought behind using the ARZ extension could be that employees are usually trained for handling files that come from unknown senders with a general extension like .exe, .pdf, and others. ARZ is a very different file extension and increases the chances that users will open it. When a user decompresses the file with 7-zip, the extracted file is “DOC.pdf.exe” rather than the “Doc.zip.arj.” The attackers bet that users would not look at the .exe, and out of curiosity, would click on it. Once executed, the victim is infected with Lokibot, which is an information-stealing malware variant. If the .exe is executed, the user will be infected with Lokibot, which eventually steals different types of credentials, such as FTP credentials, email/browser passwords, and passwords stored in the browser. The stolen information is then passed to the URL hxxp://bslines[.]xyz/copy/five/fre.php.
What can be done?
COVID-19 is a very dangerous disease, and it will take a while to be contained, but users can stay protected against cyber-attacks originated from it with proper education and following good cyber hygiene practices. To stay protected against such threats, users and enterprises should use up-to-date AV and IPS definitions, enforce a proactive patching routine, and conduct a risk assessment. Also, an organization should provide training sessions to employees for educating them about the latest phishing and spearphishing attacks. Organizations should consider implementing a threat intel ingestion system that could integrate with the existing security stack like Firewalls,
Intrusion Detection and Prevention Systems (IDS/IPS), etc. to strengthen the overall security of the organization.
Attackers are continuing to use different malware with the same strategy (Spam Email/Social Engineering) of taking advantage of the COVID-19 epidemic, and users are still falling for it. This time, Lokibot is trying to use fear and curiosity towards the COVID-19 epidemic to target users around the world. Users need to be more alert and follow adequate security practices to stay protected. Lokibot is probably not going to be the last to use the coronavirus epidemic as a lure, and organizations need to be ready for such attacks with adequate security practices and infrastructure.
Indicators of Compromise
COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC[.]zip[.]arj
COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC[.]pdf[.]exe