Rewterz Threat Alert – LokiBot Delivered Through Phishing – IOCs

Severity

Medium

Analysis Summary

LokiBot is trojan-type malware designed to infiltrate systems and collect a wide range of information. Lokibot targets Android and Windows operating systems. It is distributed via spam emails, various private messages (SMS, Skype, etc.), and malicious websites. It is designed to target users. LokiBot gathers saved logins/passwords (mostly in web browsers) and continually tracks users’ activity (for instance, recording keystrokes). Recorded information is immediately saved on a remote server controlled by LokiBot’s developers.

Example of Lokibot phishing email.

Impact

• Credential theft
• Information theft
• Exposure of sensitive data

Indicators of Compromise

URL

• http[:]//modcloudserver[.]eu/frankjoe/five/fre[.]php
• http[:]//sylvaclouds[.]eu/frankjoe/frankjoe[.]exe
• http[:]//198[.]23[.]200[.]239/~boxing/[.]tcsogb/gi’v[.]php/2ksc8CXUyqkJq
• http[:]//stdy3frndgreencreamcostmeticsbabystored[.]duckdns[.]org/gfrnddoc/win32[.]exe
• http[:]//minglejilingolingo[.]sytes[.]net/JIGGS/Panel/five/fre[.]php
• http[:]//themetalofficemeals[.]com[.]pl/hyii/GHCGGH[.]exe
• http[:]//jinglejinglen[.]sytes[.]net/JIGGS/Panel/five/fre[.]php
• https[:]//metalacerogroup[.]xyz/putty/GHCGGH[.]exe
• http[:]//ajatphilipinesinc[.]com/lurd/fre[.]php
• http[:]//corpcougar[.]com/nedu/Panel/five/fre[.]php

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.
• Search for IOC’s in your environment.