# Loki Bot: On a hunt for corporate passwords **[securelist.com/loki-bot-stealing-corporate-passwords/87595/](https://securelist.com/loki-bot-stealing-corporate-passwords/87595/)** [Spam and phishing mail](https://securelist.com/category/spam-and-phishing-mailings/) [Spam and phishing mail](https://securelist.com/category/spam-and-phishing-mailings/) 29 Aug 2018 minute read ----- Authors [Tatyana Shcherbakova](https://securelist.com/author/tatyanashcherbakova/) Starting from early July, we have seen malicious spam activity that has targeted corporate mailboxes. The messages discovered so far contain an attachment with an .iso extension that Kaspersky Lab solutions detect as Loki Bot. The malware’s key objective is to steal passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets. Loki Bot dispatches all its loot to the malware owners. ISO images are copies of optical discs that can be mounted in a virtual CD/DVD drive to be used in the same way as the originals. Whereas in days of yore users needed dedicated software to open this type of image, today’s operating systems support the format out of the box, and if you want to access the contents of the file, all you need to do is double-click. Malicious spam uses this type of file as a container for delivering malware, albeit rarely. As mentioned above, hackers were sending out copies of Loki Bot to company email addresses that could be obtained from public sources or from the companies’ own websites. The emailed messages were notably diverse: 1. Fake notifications from well-known companies ----- Imitating messages from well-known corporations is one of the most popular tricks in the hackers’ arsenal. Interestingly enough, fake emails used to be directed mostly at common users and customers, whereas now companies are increasingly the target. 1. Fake notifications containing financial documents ----- The scammers passed off malicious files as financial documents: invoices, transfers, payments, etc. This is a fairly popular malicious spamming technique, with the message body usually no more than a few lines and the subject mentioning what exactly is purported to be attached. 1. Fake orders or offers ----- Phishers may pose as customers placing an order, or a vendor offering their goods or services. Every year we observe an increase in spam attacks on the corporate sector. The perpetrators have used phishing and malicious spam, including forged business emails, in their pursuit of confidential corporate information: intellectual property, authentication data, databases, bank accounts, etc. That’s why today it’s essential for corporate security measures to include both technical protection and training for employees, because their actions may cause irreparable damage to the business. [Phishing](https://securelist.com/tag/phishing/) [Spam Letters](https://securelist.com/tag/spam-letters/) [Spammer techniques](https://securelist.com/tag/spammer-techniques/) Authors [Tatyana Shcherbakova](https://securelist.com/author/tatyanashcherbakova/) Loki Bot: On a hunt for corporate passwords ----- Your email address will not be published. Required fields are marked GReAT webinars 13 May 2021, 1:00pm ## GReAT Ideas. Balalaika Edition 26 Feb 2021, 12:00pm 17 Jun 2020, 1:00pm 26 Aug 2020, 2:00pm 22 Jul 2020, 2:00pm From the same authors ## Spam and phishing in Q1 2020 ----- ## Every little bitcoin helps The Rio Olympics: Scammers Already Competing ----- ## Spammers all geared up for Euro 2016! Arabian tales by ‘Nigerians’ Subscribe to our weekly e-mails The hottest research right in your inbox ----- Reports ## APT trends report Q1 2022 This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022. ## Lazarus Trojanized DeFi app for delivering malware We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor. ## MoonBounce: the dark side of UEFI firmware ----- At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41. ## The BlueNoroff cryptocurrency hunt is still on It appears that BlueNoroff shifted focus from hitting banks and SWIFT-connected servers to solely cryptocurrency businesses as the main source of the group’s illegal income. Subscribe to our weekly e-mails The hottest research right in your inbox ----- -----