Spearphishing Campaign Exploits COVID-19 To Spread Lokibot Infostealer

coronavirus computer spear phishing

The attack discovered uses World Health Organization trademark to lure users with info related to coronavirus.

Researchers have discovered threat actors once again capitalizing on the COVID-19 pandemic and current attention on the World Health Organization (WHO) with a new spearphishing email designed to spread the LokiBot trojan sent using the WHO trademark as a lure.

Researchers at FortiGuard Labs on March 27 first observed the malicious COVID-19-themed scam, which claims to be from the WHO and attempts to address misinformation related to the pandemic to convince users it’s authentic. Instead, it sends an attachment that unleashes the infostealer LokiBot if downloaded and executed, according to a blog post published Thursday by threat analyst Val Saengphaibul.

“The body of the email contains multiple points about infection control and other suggestions and recommendations, which is obviously a lure to further compel the recipient to continue reading,” he wrote in the post. “And in a twisted fashion, the messaging pretends to address misinformation related to COVID-19/Coronavirus.”

While the message, written in English, has legitimate characteristics, the threat actors behind it likely do not speak English as a first language due to “some obvious grammatical, punctuation and spelling issues,” Saengphaibul pointed out.

The message also makes an obvious blunder by saying it is from the WHO Center for Disease Control, linking the Switzerland-based WHO to the U.S. Center for Disease Control (CDC)—two entirely separate organizations. Moreover, in the body of the message, the author uses the British spelling of Center, “Centre,” when referring to the CDC instead of the American spelling.

If a victim makes it this far, the email contains an attachment  “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.zip.arj” compressed file, which can be opened with 7-Zip. ARJ is a compression format for “creating highly efficient compressed archives” and is likely an evasion tactic on the part of the threat actors, Saengphaibul wrote.

“The attackers behind this latest attack likely hope that the ARJ format might allay the concerns of an unsuspecting victim about opening an unknown attachment, given that the populace has been trained to not open suspicious file extensions such as .exe,” he wrote.

If those receiving the message click on the attachment and decompress the file, it transforms to one that has a “DOC.pdf.exe” extension rather than the “Doc.zip.arj,” which could still fool users with “a lapse of judgment” or who don’t notice the new extension into clicking on it, Saengphaibul said.

If they do, the file infects the victim’s system with Lokibot, an infostealer that lifts a variety of credentials from the user’s system — including FTP credentials, stored email passwords, passwords stored in the browser and others, he said. It then passes the exfiltrated information to the following URL: hxxp://bslines[.]xyz/copy/five/fre.php.

LokiBot is a prolific trojan that’s infamous for being simple and effective in its ability to covertly siphon information from compromised endpoints. It’s currently being distributed in various forms that can hitch a ride inside other file formats—as is the case in the current campaign. Various versions of LokiBot also in the past were sold on underground markets for as little as $300.

Since it was first detected, the new spearphishing campaign has gone global, with Turkey, Portugal, Germany, Austria and the United States showing the highest incidents, according to the post. The campaign also has been found making the rounds in Belgium, Puerto Rico, Italy, Canada,and Spain, but with less pervasiveness, according to Saengphaibul.

The attack is one of a number of varied security threats that have emerged in the wake of the COVID-19 that aim to take advantage of people’s fear surrounding the coronavirus and thirst for information from trusted sources.

The WHO in particular has been used to try to fool victims as well as itself been the target of attackers. Earlier this week, researchers at Cofense revealed new phishing attacks that use spoofing tactics to effectively evade top email protections and use references to the WHO to fool potential victims. WHO officials also have observed a surge in cyber-attacks since the pandemic began, they said.
Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.