Severity

Medium

Analysis Summary

A recently discovered email campaign distributing the Lokibot malware via an .XLS attachment. A potential victim receives an email with a subject of “BBVA-Confirming transferencia de pago translated as BBVA-Confirming payment transfer”. The sender was observed as “BBVA Banco Continental pago1[@]expomaquinaria[.]es”. Within the body of the email, the adversary attempts to entice a user to open the attachment “Detalles de la transferencia de pago.xls ” to review the transfer. The infection process begins once the .XLS attachment is opened, ultimately leading to the Lokibot malware being installed on the victim’s system. It reportedly abuses the NGROK service to establish a secure tunnel, and download the malware from the cloud. This technique makes detecting the malware extremely difficult.

Indicators of Compromise

IP(s) / Hostname(s)

• 3[.]19[.]114[.]185
• 185[.]55[.]225[.]242

URLs

• http[:]//vbtz[.]cf/BOSCO/five/fre[.]php
• http[:]//khialimiab[.]ir/wp-includes/lolo/fre[.]php
• http[:]//treatascholars[.]com/wp-includes/danc/fre[.]php
• http[:]//8d2aef60[.]ngrok[.]io/boom/Banco%20Sabadell%20Prueba%20De%20Pago[.]exe
• http[:]//8d2aef60[.]ngrok[.]io/Both/lotta[.]exe
• http[:]//8d2aef60[.]ngrok[.]io/Both/taco[.]exe
• http[:]//8d2aef60[.]ngrok[.]io/mine/gutty[.]exe
• http[:]//8d2aef60[.]ngrok[.]io/Both/lotta[.]exe
• http[:]//khialimiab[.]ir/wp-includes/lolo/fre[.]php
• 8d2aef60[.]ngrok[.]io
• khialimiab[.]ir

Email Address

pago1@expomaquinaria.es

Email Subject

BBVA-Confirming transferencia de pago

Malware Hash (MD5/SHA1/SH256)

• 28f4be749eb30837ae4528af7350e9528d728e52a63f178ed9cff9f367383a6d
• 38e5b46c9fc0676d210eb6f5bac809ebc90ac8d421213dbc1dd67d61358edb73
• ef9e761e57bb2cec574b3d4e8804eeb878f55f42
• ca02a3030dd507a0e29527f84448aed6

Remediation

• Block all threat indicators at your respective controls
• Always be suspicious about emails sent by unknown senders
• Never click on link/attachments sent by unknown senders