# New Campaign Sees LokiBot Delivered Via Multiple Methods **[trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html](https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html)** ## Introduction August 25, 2021 We recently detected an aggressive malware distribution campaign delivering LokiBot via multiple techniques, including the exploitation of older vulnerabilities. This blog entry describes and provides an example of one the methods used in the campaign, as well as a short analysis of the payload. We found that one of the command-and-control (C&C) servers had enabled directory browsing, allowing us to retrieve updated samples. Figure 1. C&C server with directory browsing enabled Although none of these techniques are particularly new, we want to build awareness about this campaign and encourage users to patch their systems as soon as possible if they are potentially affected. Analysis of the Adobe PDF malware delivery mechanism Some of the delivery methods we found included: PDF: Using Open Action Object DOCX: Using the Frameset mechanism RTF: Exploitation of [CVE-2017-11882](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/17-year-old-ms-office-flaw-cve-2017-11882-actively-exploited-in-the-wild) Internet Explorer: Exploitation of CVE-2016-0189 Excel: Using embedded OLE Object and Word documents (With further exploitation of old vulnerabilities) Let’s take a look at one of the delivery methods, an Adobe PDF document attached to an email masquerading as an order invoice email to fool customers. The PDF file, shown in Figure 2, is named “Revised invoice 2.pdf.” ----- Figure 2. Screenshot of the PDF document sent to the targeted victim When the document is opened, the user is presented the option to allow or block a connection to a specific host at “192[.]23[.]212[.]137”. Figure 3. Option presented to the user upon opening the document The URL is placed as an action in the PDF “OpenAction” directory, so a web visit is performed when the user opens the document. ----- Figure 4. PDF document dictionary If the user allows access to the site, an HTTP request is sent to the URL http://198[.]23[.]212[.]137/document/pdf_r34567888[.]html. The server responds with a malicious HTML document, shown in Figure 4. Figure 5. Code snippets from the malicious HTML page returned from server [The malicious web page exploits a vulnerability identified as CVE-2016-0189 to run the embedded PowerShell script.](https://www.trendmicro.com/vinfo/sg/threat-encyclopedia/vulnerability/9765/microsoft-internet-explorer-scripting-engine-memory-corruption-vulnerability-cve-2016-0189) ## The credential-stealing payload After deobfuscation, we can see the malware attempts to download the payload from http://198[.]23[.]212[.]137/regedit/reg/vbc[.]exe. [The payload vbc.exe is a variant of the LokiBot trojan we first detected in 2019. The main purpose of the malware is to steal user credentials](https://www.trendmicro.com/en_ph/research/19/h/lokibot-gains-new-persistence-mechanism-uses-steganography-to-hide-its-tracks.html) f th b b FTP d SMTP li t It t h b il d tl d l d d t Vi T t l ----- of the malware request ## The importance of timely patching and observing best practices for security Figure 6. Compilation timestamp Figure 7. Default folders Figure 8. C&C server POST This campaign shows that LokiBot and its variants are still being widely used and still use old and reliable techniques such as social engineering and vulnerability exploitation as delivery methods. ----- Use s ca p otect t e se es o ca pa g s t at o e t ese tec ques by obse g bas c secu ty p act ces, suc as e a g o clicking links and opening attachments in suspicious or unsolicited emails. Organizations and individuals should also update their systems as soon as possible since some of the delivery methods discussed in this blog post use vulnerability exploits. The following security solutions can also protect users from email-based attacks: **[Trend Micro™ Cloud App Security – Enhances the security of Microsoft Office 365 and other cloud services via computer](https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/cloud-app-security.html)** **vision and real-time scanning. It also protects organizations from email-based threats.** **[Trend Micro™ Deep Discovery™ Email Inspector – Defends users through a combination of real-time scanning and advanced](https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/email-inspector.html)** **analysis techniques for known and unknown attacks.** Indicators of Compromise Description Hashes/URLs/IP Addresses Detection Name Revised invoice 2 .pdf c59ac77c8c2f2450c942840031ad72d3bac69b7ebe780049b4e9741c51e001ab Trojan.PDF.POWLOAD.AM 2021-0809_220350.pdf.pdf shipment assessment.pdf 5a586164674423eb4d58f664c1625c6dfabcd7418048f18d4b0ab0b9df3733eb Trojan.PDF.POWLOAD.AM fb7fe37e263406349b29afb8ee980ca70004ee32ea5e5254b9614a3f8696daca Trojan.PDF.POWLOAD.AM LOA.PDF.pdf 98983e00b47bcbe9ebbaf5f28ea6cdbf619dd88c91f481b18fec7ffdb68ab741 Trojan.PDF.POWLOAD.AM Bunker invoice 023.pdf 71998bb4882f71a9e09b1eb86bac1e0a0ac75bc4c20ee11373b90173cedc7d0b Trojan.PDF.POWLOAD.AM PO JHS-PO-210811425.rar-1.pdf e5d84990d7abd7b65655ac262d3cad346cdaf47f5861bff8b33b8bc755832288 Trojan.PDF.POWLOAD.AM N/A 2210000d2f877c9fd87efe97605e90549c5d9008a90f9b062a570fc12437e318 Trojan.W97M.LOKI.AOR Contract 1459-PO2115.docx e7a518b83d9f57a4cb8726afc6bb27a15f6e68655552e13b24481df83b9320fb Trojan.W97M.LOKI.AOR PI I229-I231.xlsx fc5bf62f57c77efa9f9264878f1753a35c27fb44bce7d9a00f8f094315355661 Trojan.X97M.CVE20180802.AL S28BW421072010440.PDF.xlsx c6aede79cc1608da1e3ed5c8853b1718351429573679d6b847c90c44e48137d4 Trojan.X97M.CVE20180802.AL 64DBB078907CDEB6E 639f6453e961aa33302d34962ccdd29fbc9235b2a0df8b1ac0acc0bb040af7e0 Trojan.W97M.LOKI.AOT 76CE5B8A21BB98A.mlw PO20-003609.xlsx b1b0045f890afd14b4168b4fc0017ac39c281fe5eee66d3c9523040e63220eb4 Trojan.X97M.CVE201711882.XQU rwer.wbk 3798eb011f5d8ee7f41e3666dac7fac279cf670ad4af4060aaef33a7def3c6f7 Trojan.W97M.CVE201711882.XAA pdf_r34567888.html 45f1b4b0a627f1a2072818d00456dc4fc6607edf9a1a1c484f04f800d25b93d2 Trojan.HTML.POWLOAD.EQ pdf_rg234999233.html da56c38fad7c2ee8e829aea9bd3c4b523ea0b65e935805d68df12c7a28e5d5dd Trojan.HTML.POWLOAD.EQ vbc.exe d8bb1bb8587840321e74cf2ab2f3596344cbb5ffeb77060bd9aade848fed03fd TrojanSpy.Win32.LOKI.PUHBAZCL vbc.exe 9f66135d831d5ba4972ba5db9e0fd4515dfaecc92013a741679d6cddbe29ab25 TrojanSpy.Win32.LOKI.PUHBAZCL vbc.exe 324d549fb7b9999aa0e6fb8a6824f7a05fe5f1f21d76fb2d360cb34c56eb1995 TrojanSpy.Win32.LOKI.PUHBAZCL ----- vbc.exe ca155beb7d28cde5147eba7907c453d433b7675ba1830e87d5a4e409b5b912e1 TrojanSpy.Win32.LOKI.PUHBAZCL URL http://198[.]23[.]212[.]137/document/pdf_document_s233322[.]html Phishing URL http://198[.]23[.]212[.]137/document/pdf_document_sw211222[.]html Disease Vector URL https://ulvis[.]net/Q4gl Disease Vector URL https://ulvis[.]net/Q4km Disease Vector URL http://198[.]23[.]212[.]137/document/pdf_rg234999233[.]html Disease Vector URL http://198[.]23[.]212[.]137/document/pdf_r34567888[.]html Disease Vector C&C IP Address 198[.]23[.]212[.]137 C&C Server C&C IP Address 104[.]21[.]62[.]89 C&C Server C&C IP Address 104[.]21[.]71[.]169 C&C Server C&C IP Address 185[.]227[.]139[.]5 C&C Server C&C IP Address 46[.]173[.]214[.]209 C&C Server C&C IP Address 192[.]227[.]228[.]106 C&C Server Malware We recently detected an aggressive malware distribution campaign delivering LokiBot via multiple techniques, including the exploitation of older vulnerabilities. By: William Gamazo Sanchez, Bin Lin August 25, 2021 Read time: ( words) Content added to Folio -----