A new malspam campaign targeting a large U.S. manufacturing company has been observed lately. The campaign was used to distribute the infamous LokiBot trojan that is capable of stealing sensitive information.
How did the attack occur?
Discovered by researchers from Fortinet, the campaign involved attackers sending a spam email to the sales department of the organization.
What are the capabilities?
Once the target unzipped the attached archive, the system got infected with LokiBot trojan. When it successfully compromised its victims’ computers, LokiBot harvested a variety of sensitive information and sent it to its operator’s C2 server as part of an HTTP POST request.
"LokiBot steals a variety of credentials – primarily FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials," added the researchers.
Upon a closer look, researchers uncovered that a particular IP address appears to have been used twice prior to this malspam campaign. It is linked to the attacks that occurred in June. The attack had affected the customers of a large German Bakery.