LTS Secure Warning: LokiBot Malware Being Spread In New COVID-19 Themed Spear Phishing Campaign

Security Researchers have recently discovered a new COVID-19 themed Spear Phishing campaign, delivering LokiBot Malware using World Health Organization (WHO) trademark as bait. The campaign till now has targeted victims mainly in Austria, Germany, Portugal, Turkey & U.S.

Technical Details

The email, written in English, contains numerous grammatical, punctuation & spelling mistakes. The email further contains a compressed file as an attachment “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.zip.arj”, which can be decompressed using 7-Zip.

ARJ compression format might be used due to the fact that it allows creating of very efficient compressed archives and is probably evasion tactic used by the threat actors. If the archive is opened, a file “DOC.pdf.exe” appears in front of the victim, which upon opening infects the machine with LokiBot malware.

Impact

• Logs user’s keystrokes.
• Collects user & system information.
• Steal sensitive/confidential information like login credentials of banking sites, cookies, etc.

Recommended Actions

• Avoid Opening emails & attachments from unknown senders.
• Take an effort to educate your users on how to identify a mal-spam.
• Always update your anti-virus software with the latest releases.
• Periodically run “full system scan” on your endpoints.
• Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.