April 18, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – New Mirai Variant Uses Multiple Exploits to Target Routers and Other Devices
May 29, 2019Rewterz Threat Alert – MySQL Servers Subjected to GandCrab Attack
May 31, 2019Rewterz Threat Alert – New Mirai Variant Uses Multiple Exploits to Target Routers and Other Devices
May 29, 2019Rewterz Threat Alert – MySQL Servers Subjected to GandCrab Attack
May 31, 2019
Severity
Medium
Analysis Summary
A recently discovered email campaign distributing the Lokibot malware via an .XLS attachment. A potential victim receives an email with a subject of “BBVA-Confirming transferencia de pago translated as BBVA-Confirming payment transfer”. The sender was observed as “BBVA Banco Continental pago1[@]expomaquinaria[.]es”. Within the body of the email, the adversary attempts to entice a user to open the attachment “Detalles de la transferencia de pago.xls ” to review the transfer. The infection process begins once the .XLS attachment is opened, ultimately leading to the Lokibot malware being installed on the victim’s system. It reportedly abuses the NGROK service to establish a secure tunnel, and download the malware from the cloud. This technique makes detecting the malware extremely difficult.
Indicators of Compromise
IP(s) / Hostname(s)
- 3[.]19[.]114[.]185
- 185[.]55[.]225[.]242
URLs
- http[:]//vbtz[.]cf/BOSCO/five/fre[.]php
- http[:]//khialimiab[.]ir/wp-includes/lolo/fre[.]php
- http[:]//treatascholars[.]com/wp-includes/danc/fre[.]php
- http[:]//8d2aef60[.]ngrok[.]io/boom/Banco%20Sabadell%20Prueba%20De%20Pago[.]exe
- http[:]//8d2aef60[.]ngrok[.]io/Both/lotta[.]exe
- http[:]//8d2aef60[.]ngrok[.]io/Both/taco[.]exe
- http[:]//8d2aef60[.]ngrok[.]io/mine/gutty[.]exe
- http[:]//8d2aef60[.]ngrok[.]io/Both/lotta[.]exe
- http[:]//khialimiab[.]ir/wp-includes/lolo/fre[.]php
- 8d2aef60[.]ngrok[.]io
- khialimiab[.]ir
Email Address
pago1@expomaquinaria.es
Email Subject
BBVA-Confirming transferencia de pago
Malware Hash (MD5/SHA1/SH256)
- 28f4be749eb30837ae4528af7350e9528d728e52a63f178ed9cff9f367383a6d
- 38e5b46c9fc0676d210eb6f5bac809ebc90ac8d421213dbc1dd67d61358edb73
- ef9e761e57bb2cec574b3d4e8804eeb878f55f42
- ca02a3030dd507a0e29527f84448aed6
Remediation
- Block all threat indicators at your respective controls
- Always be suspicious about emails sent by unknown senders
- Never click on link/attachments sent by unknown senders
