{"id":1141,"date":"2018-06-09T02:41:09","date_gmt":"2018-06-09T01:41:09","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=1141"},"modified":"2018-06-09T02:41:09","modified_gmt":"2018-06-09T01:41:09","slug":"2018-06-08-lokibot-malspam","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=1141","title":{"rendered":"2018-06-08 LokiBot Malspam"},"content":{"rendered":"

For something different today, found some DHL inspired LokiBot malspam in the email filters. LokiBot is considered an information stealer as it looks through the system for any credentials that it can grab. As Brad mentioned in an older SANS ISC blog<\/a> entry, the emails that LokiBot uses vary and does not seem to follow any kind of pattern. The pattern is noticeable when you look at the infection (this will be discussed later). In the meantime, if you are wanting to read a great detailed article\/breakdown on LokiBot, check out this paper from Rob Pantazopoulos<\/a> via the SANS Reading Room. <\/p>\n

Artifacts from this investigation can be found below in my Github repo located here<\/a>.<\/p>\n

\"\"<\/a><\/p>\n

IOCs:
\n=====
\n78.128.6[.]231 \/ kc3nj.loan (POST \/3kc\/xxx\/xxx\/fre.php)
\n3nj.loan (Found in strings of a running process)<\/p>\n

Artifacts:
\n==========
\nFile name: DHL Shipment Delivery Service.ace
\nFile size: 257KB
\nFile path: NA
\nMD5 hash: 36592df9bb484f3c4f7a807acc3afe9a
\nVirustotal: http:\/\/www.virustotal.com\/#\/file\/9bb8c2be2905ef380dc5ba1e7e743f8a1f7da71cd0ed92fa03d544a2e2ba15c7\/detection<\/a>
\nDetection ratio: 19 \/ 60
\nFirst Detected: 2018-06-08 02:31<\/p>\n

File name: DHL Shipment Delivery Service.scr
\nFile size: 550KB
\nFile path: NA
\nMD5 hash: de076b4bd0335f369b87ca08cb404e22
\nVirustotal: NA
\nAny.Run: http:\/\/app.any.run\/tasks\/415afce9-eb5a-4cd9-830c-16859dab941b<\/a> (Failed to execute)<\/p>\n

File name: 3B859C.exe
\nFile size: 550KB
\nFile path: C:\\Users\\%username%\\AppData\\Roaming\\ABE9E3
\nMD5 hash: de076b4bd0335f369b87ca08cb404e22
\nVirustotal: NA
\nAny.Run: http:\/\/app.any.run\/tasks\/098c3a17-d165-4f9a-9419-61b1485c4f92<\/a><\/p>\n

File name: 3B859C.hdb
\nFile size: 4B
\nFile path: C:\\Users\\%username%\\AppData\\Roaming\\ABE9E3
\nMD5 hash: a4bcc1b1fd35c41717612476ecfb131e
\nVirustotal: NA<\/p>\n

Analysis:
\n=========
\nThis is a pretty straight forward LokiBot infection. I saw this because of some patterns that are exhibited by the malware:<\/p>\n

\t– The User-Agent is always “User-Agent: Mozilla\/4.08 (Charon; Inferno)”
\n\t– The URL ends in “fre.php”
\n\t– Within the traffic there is a string (seen below) labeled “ckav.ru”
\n\t– The POSTs send data, but always present a “404 Not Found” error message<\/p>\n

Once the file is extracted from the ACE archive and executed it spins up to later use process hollowing to create a child processes that becomes orphaned (everything is named the same). The remaining two processes are what proceeds to scan the system looking for credentials and to ship that back to the compromised server via some POSTS that are performed.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

The following is a snippet that I pulled from PID 2380 via strings.<\/p>\n

\r\n%s\\%s\\User Data\\Default\\Login Data\r\n%s\\%s\\User Data\\Default\\Web Data\r\n%s%s\\Login Data\r\n%s%s\\Default\\Login Data\r\nComodo\\Dragon\r\nMapleStudio\\ChromePlus\r\nGoogle\\Chrome\r\nNichrome\r\nRockMelt\r\nSpark\r\nChromium\r\nTitan Browser\r\nTorch\r\nYandex\\YandexBrowser\r\nEpic Privacy Browser\r\nCocCoc\\Browser\r\nVivaldi\r\nComodo\\Chromodo\r\nSuperbird\r\nCoowon\\Coowon\r\nMustang Browser\r\n360Browser\\Browser\r\nCatalinaGroup\\Citrio\r\nGoogle\\Chrome SxS\r\nOrbitum\r\nIridium\r\n\\Opera\\Opera Next\\data\r\n\\Opera Software\\Opera Stable\r\n\\Fenrir Inc\\Sleipnir\\setting\\modules\\ChromiumViewer\r\n\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer\r\nvaultcli.dll\r\nVaultEnumerateItems\r\nVaultEnumerateVaults\r\nVaultFree\r\nVaultGetItem\r\nVaultOpenVault\r\nVaultCloseVault\r\nSoftware\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2\r\n%s%02X\r\nfile:\/\/\/\r\nSoftware\\Microsoft\\Internet Explorer\\TypedURLs\r\nSELECT encryptedUsername, encryptedPassword, formSubmitURL, hostname FROM moz_logins\r\nhostname\r\nencryptedUsername\r\nencryptedPassword\r\n%s\\logins.json\r\n%s\\prefs.js\r\n%s\\signons.sqlite\r\nsignons.txt\r\nsignons2.txt\r\nsignons3.txt\r\n%s\\Mozilla\\Firefox\\profiles.ini\r\n%s\\Mozilla\\Firefox\\Profiles\\%s\r\n%s\\Mozilla\\SeaMonkey\\profiles.ini\r\n%s\\Mozilla\\SeaMonkey\\Profiles\\%s\r\n%s\\Flock\\Browser\\profiles.ini\r\n%s\\Flock\\Browser\\Profiles\\%s\r\n%s\\Thunderbird\\profiles.ini\r\n%s\\Thunderbird\\Profiles\\%s\r\n%s\\K-Meleon\\profiles.ini\r\n%s\\K-Meleon\\%s\r\n%s\\Comodo\\IceDragon\\profiles.ini\r\n%s\\Comodo\\IceDragon\\Profiles\\%s\r\n%s\\NETGATE Technologies\\BlackHawk\\profiles.ini\r\n%s\\NETGATE Technologies\\BlackHawk\\Profiles\\%s\r\n%s\\Postbox\\profiles.ini\r\n%s\\Postbox\\Profiles\\%s\r\n%s\\8pecxstudios\\Cyberfox\\profiles.ini\r\n%s\\8pecxstudios\\Cyberfox\\Profiles\\%s\r\n%s\\Moonchild Productions\\Pale Moon\\profiles.ini\r\n%s\\Moonchild Productions\\Pale Moon\\Profiles\\%s\r\n%s\\FossaMail\\profiles.ini\r\n%s\\FossaMail\\Profiles\\%s\r\n%s\\Lunascape\\Lunascape6\\plugins\\{9BDD5314-20A6-4d98-AB30-8325A95771EE}\\data\r\nProfile%i\r\nPath\r\nProfiles\/\r\nPATH\r\n%s\\nss3.dll\r\nNSS_Init\r\nNSS_Shutdown\r\nPK11_GetInternalKeySlot\r\nPK11_FreeSlot\r\nPK11_Authenticate\r\nPK11SDR_Decrypt\r\nPK11_CheckUserPassword\r\nSECITEM_FreeItem\r\nsqlite3.dll\r\nmozsqlite3.dll\r\nnss3.dll\r\nsqlite3_finalize\r\nsqlite3_step\r\nsqlite3_close\r\nsqlite3_column_text\r\nsqlite3_open16\r\nsqlite3_prepare_v2\r\nsqlite3_prepare\r\nCurrentVersion\r\nSOFTWARE\\Mozilla\\Mozilla Firefox\r\n%s\\%s\\Main\r\nInstall Directory\r\nPathToExe\r\nSOFTWARE\\Mozilla\\Mozilla Thunderbird\r\nSOFTWARE\\Mozilla\\FossaMail\r\nSOFTWARE\\Postbox\\Postbox\r\nSOFTWARE\\Mozilla\\Flock\r\nSOFTWARE\\Flock\\Flock\r\n(x86)\r\n%ProgramW6432%\r\n%s\\NETGATE\\Black Hawk\r\nSOFTWARE\\Mozilla\\Pale Moon\r\n%s\\Lunascape\\Lunascape6\\plugins\\{9BDD5314-20A6-4d98-AB30-8325A95771EE}\r\nSOFTWARE\\K-Meleon\r\nSetupPath\r\nSOFTWARE\\ComodoGroup\\IceDragon\\Setup\r\nRootDir\r\nSOFTWARE\\8pecxstudios\\Cyberfox86\r\nSOFTWARE\\8pecxstudios\\Cyberfox\r\nSOFTWARE\\mozilla.org\\SeaMonkey\r\n%s\\Mozilla\\Profiles\r\nSOFTWARE\\Mozilla\\SeaMonkey\r\nSOFTWARE\\Mozilla\\Waterfox\r\nffffff\r\nfirefox.exe\r\nkernel32.dll\r\nCloseHandle\r\nCreateFileW\r\nWriteFile\r\nExitProcess\r\nCrypt32.dll\r\nCryptStringToBinaryA\r\nShlwapi.dll\r\nStrStrA\r\nGetProcAddress\r\nLoadLibraryW\r\n%s\\Opera\r\nwand.dat\r\nX!2$6*9(SKiasb+!v<.qF58_qwe~QsRTYvdeTYb\r\nform_password_control\r\nform_username_control\r\nSoftware\\QtWeb.NET\\QtWeb Internet Browser\\AutoComplete\r\n%s\\QupZilla\\profiles\\default\\browsedata.db\r\narray\r\ndict\r\ndata\r\nstring\r\nServer\r\nInstallDir\r\nSOFTWARE\\Apple Computer, Inc.\\Safari\r\n%s\\Apple Computer\\Preferences\\keychain.plist\r\n%s\\Apple Application Support\\plutil.exe\r\n.xml\r\n-convert xml1 -s -o %s "%s"\r\n%s\\Data\\AccCfg\\Accounts.tdat\r\n%s\\Storage\r\nAccount.rec0\r\n%s\\Foxmail\\mail\r\n*.stg\r\n%SYSTEMDRIVE%\r\nFoxmail*\r\nEmailAddress\r\nTechnology\r\nPopServer\r\nPopPort\r\nPopAccount\r\nPopPassword\r\nSmtpServer\r\nSmtpPort\r\nSmtpAccount\r\nSmtpPassword\r\nSoftware\\IncrediMail\\Identities\r\nUserName\r\nPasswd\r\nPOP3Server\r\nPOP3Port\r\nEmail\r\nSMTP Email Address\r\nSMTP Server\r\nSMTP User Name\r\nSMTP User\r\nPOP3 Server\r\nPOP3 User Name\r\nPOP3 User\r\nNNTP Email Address\r\nNNTP User Name\r\nNNTP Server\r\nIMAP Server\r\nIMAP User Name\r\nIMAP User\r\nHTTP User\r\nHTTP Server URL\r\nHTTPMail User Name\r\nHTTPMail Server\r\nPOP3 Port\r\nSMTP Port\r\nIMAP Port\r\nPOP3 Password2\r\nIMAP Password2\r\nNNTP Password2\r\nHTTPMail Password2\r\nSMTP Password2\r\nPOP3 Password\r\nIMAP Password\r\nNNTP Password\r\nHTTP Password\r\nSMTP Password\r\nSoftware\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\r\nSoftware\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\r\nSoftware\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\r\n%s\\32BitFtp.TMP\r\n%s\\32BitFtp.ini\r\n%s\\Estsoft\\ALFTP\\ESTdb2.dat\r\n%s\\site.xml\r\n%s\\BitKinex\\bitkinex.ds\r\n*.tlp\r\n*.bscp\r\nLastUsedProfile\r\nSoftware\\Bitvise\\BvSshClient\r\n%s\\BlazeFtp\\site.dat\r\nSoftware\\FlashPeak\\BlazeFtp\\Settings\r\nLastPassword\r\nLastUser\r\nLastAddress\r\nLastPort\r\nServer\r\nPassword\r\n_Password\r\nSoftware\\NCH Software\\ClassicFTP\\FTPAccounts\r\nsettings\r\nname\r\nvalue\r\n%s\\Cyberduck\r\nuser.config\r\n%s\\iterate_GmbH\r\n%s\\EasyFTP\\data\r\nserver\r\nusername\r\nprotocol\r\n%s\\ExpanDrive\r\n*favorites.js\r\ndrives.js\r\n%s%c\r\nUser\r\nHostName\r\nSoftware\\Far\\Plugins\\FTP\\Hosts\r\nSoftware\\Far2\\Plugins\\FTP\\Hosts\r\n%s\\Far Manager\\Profile\\PluginsData\\42E4AEB1-A230-44F4-B33C-F195BB654931.db\r\n%s\\FileZilla\\Filezilla.xml\r\n%s\\FileZilla\\filezilla.xml\r\n%s\\FileZilla\\recentservers.xml\r\n%s\\FileZilla\\sitemanager.xml\r\n%s\\FlashFXP\r\n*Sites.dat\r\n*quick.dat\r\nFtpServer\r\nFtpUserName\r\nFtpPassword\r\n_FtpPassword\r\nSoftware\\NCH Software\\Fling\\Accounts\r\n%s\\FreshWebmaster\\FreshFTP\\FtpSites.SMF\r\n%s\\FTPBox\\profiles.conf\r\n%s\\FTPGetter\\Profile\\servers.xml\r\n%s\\FTPGetter\\servers.xml\r\n%s\\FTPInfo\\ServerList.xml\r\n%s\\FTPInfo\\ServerList.cfg\r\n%s\\FTP Navigator\\Ftplist.txt\r\n%s\\FTP Now\\sites.xml\r\n%s\\FTPShell\\ftpshell.fsi\r\n%s\\.config\\fullsync\\profiles.xml\r\n%s\\DeluxeFTP\\sites.xml\r\n%s\\GoFTP\\settings\\Connections.txt\r\nJaSFtp\r\nAbleFTP\r\nAutomize\r\n%s\\%s%i\\encPwd.jsd\r\n%s\\%s%i\\data\\settings\\sshProfiles-j.jsd\r\n%s\\%s%i\\data\\settings\\ftpProfiles-j.jsd\r\nPass\r\nHost\r\nPort\r\nSoftware\\LinasFTP\\Site Manager\r\n%s\\oZone3D\\MyFTP\\myftp.ini\r\n%s\\NetDrive\\NDSites.ini\r\n%s\\NetDrive2\\drives.dat\r\n%s\\Fastream NETFile\\My FTP Links\r\n%s\\NexusFile\\userdata\\ftpsite.ini\r\n%s\\NexusFile\\ftpsite.ini\r\n%s\\INSoftware\\NovaFTP\\NovaFTP.db\r\n%s\\Notepad++\\plugins\\config\\NppFTP\\NppFTP.xml\r\n%s\\Odin Secure FTP Expert\\QFDefault.QFQ\r\n%s\\Odin Secure FTP Expert\\SiteInfo.QFP\r\nPublicKeyFile\r\nTerminalType\r\nPortNumber\r\nSoftware\\9bis.com\\KiTTY\\Sessions\r\nSoftware\\SimonTatham\\PuTTY\\Sessions\r\n_dec\r\n%s_dec\r\nlsasrv.dll\r\nLsaICryptUnprotectData\r\nlsass.exe\r\n%s\\Microsoft\\Credentials\r\nConfig Path\r\nSoftware\\VanDyke\\SecureFX\r\n%s\\Sessions\r\n*.ini\r\nPort\r\nUserName\r\nPassword\r\n%s\\SftpNetDrive\r\n*.cfg\r\n%s\\Sherrod Computers\\sherrod FTP\\favorites\r\n#document.favoriteManager*\r\n%s\\SmartFTP\r\n{*.xml\r\n%s\\Staff-FTP\\sites.ini\r\n%s\\Steed\\bookmarks.txt\r\n%s\\SuperPutty\r\nSessions*\r\nsftp:\/\/\r\nftp:\/\/\r\nftps:\/\/\r\nhttp:\/\/\r\nhttp:\/\/\r\n{.:CRED:.}\r\n{CREN}\r\n{CRDB}\r\nProfiles\r\n%s\\Syncovery\r\nSyncovery.ini\r\n%s\\wcx_ftp.ini\r\n%s\\GHISLER\\wcx_ftp.ini\r\nFtpIniName\r\nSoftware\\Ghisler\\Total Commander\r\n%s\\UltraFXP\\sites.xml\r\n%s\\WinFtp Client\\Favorites.dat\r\nFSProtocol\r\nSoftware\\Martin Prikryl\r\n%s\\WS_FTP\\WS_FTP.INI\r\n%s\\WS_FTP.INI\r\n%s\\Ipswitch\r\nws_ftp.ini\r\n%s\\NetSarang\\Xftp\\Sessions\r\n*xfp\r\nMAC=%02X%02X%02XINSTALL=%08X%08Xk\r\n1?0`\r\n%s\\%s\\%s.exe<\/pre>\n","protected":false},"excerpt":{"rendered":"
For something different today, found some DHL inspired LokiBot malspam in the email filters. LokiBot is considered an information stealer as it looks through the system for any credentials that it can grab. As Brad mentioned in an older SANS ISC blog entry, the emails that LokiBot uses vary and does not seem to follow any kind of pattern. The pattern is noticeable when you look at the infection (this will be discussed later). In the meantime, if you are wanting to read a great detailed article\/breakdown on LokiBot, check out this paper from Rob Pantazopoulos via the SANS Reading…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[26],"class_list":["post-1141","post","type-post","status-publish","format-standard","hentry","category-packet-analysis","tag-lokibot"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1141","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1141"}],"version-history":[{"count":2,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1141\/revisions"}],"predecessor-version":[{"id":1149,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1141\/revisions\/1149"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}