# Loki Info Stealer Propagates through LZH Files **[trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files)** _Insights and analysis by Miguel Ang_ [We previously encountered a spam sample that propagates the info stealerLoki through Windows Cabinet (CAB) files. Recently, we acquired](https://www.trendmicro.com/vinfo/us/security/definition/Info-stealer) another sample that delivers the same malware, but this time through LZH compressed archive files. Trend Micro detects the attachment and the dropper as TrojanSpy.Win32.LOKI.TIOIBYTU. LZH files, more commonly used in Japan for compressing files, have also been used to deliver other malware such as Negasteal and Ave Maria. The malicious LZH file attachment comes from an email posing as a payment confirmation advice from a bank. The attachment is named “payment confirmation.lzh”. Figure 1. Sample email delivering Loki through LZH attachment The LZH archive attachment contained the Loki dropper named bFbnF2vovw15SVM.exe. It also has a folder named “crypted_files,” which contains an empty folder named “myself_crypted” inside. This was either the result of an error in archiving the sample or was meant to be used to contain additional components or payloads. ----- Figure 2. Attachment contents Figure 3. Contents of the “crypted files” folder [The Loki dropper uses .NET compiled binaries to add multiple layers of obfuscation. It eventually uses process hollowing to load and execute](https://blog.trendmicro.com/trendlabs-security-intelligence/almost-hollow-and-innocent-monero-miner-remains-undetected-via-process-hollowing/) [the main Loki payload. This method is reminiscent of the campaign that propagates Loki through CAB file attachments. The main Loki](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-delivered-as-cab-file-attachment) payload that it drops also has the same hash as the variant concealed through CAB files, indicating that both samples are under the same ongoing campaign. ----- Figure 4. Obfuscated compiled binaries ## Detachment from malicious files Cybercriminals can use a variety of file attachments to spread malware, ranging from more common file types like Word Document or PDF, to less familiar ones like CAB or LZH files. Regardless of the file type used to conceal it, the fact remains that malware can compromise [systems, disrupt device performance, or steal data. The following best practices can help prevent malware infections:](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/infosec-guide-email-threats) Do not download attachments or click links on emails from unknown sources. This may lead to the installation of malware. Users may check where the embedded links lead to by hovering the pointer over the link. Read emails carefully to gauge the credibility of its contents. Some giveaway signs of spam are bad grammar, misspelled words, and unfamiliar or spoofed email addresses. Avoid sharing contact details and other sensitive information on public web forums or social media. [It is also advisable to check the device for common malware infection symptoms. These include slower performance, faster battery drain,](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/know-the-symptoms-protect-your-devices-while-working-from-home) crashes, or failure to load. For a more proactive defense against threats that use emails as entry points, the following solutions are recommended: [Trend Micro™ Deep Discovery™ Email Inspector – Stops email-based threats including spam, ransomware, and targeted attacks](https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/email-inspector.html) through advanced analysis and custom sandboxing. [Trend Micro™ Email Security – Employs sandbox for unknown files and URL, email sender analysis and authentication, and checking](https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/email-security.html) of email header and content for signs of compromise. [Trend Micro™ Cloud App Security – Protects file sharing from malware and controls sensitive data usage.](https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/cloud-app-security.html) ## Indicators of Compromise **URL** hxxp://retrak.co[.]ke/psy/five/fre.php **File Name** **SHA-256** **Trend Micro** **Pattern Detection** bFbnF2vovw15SVM.exe payment confirmation.lzh HIDE e6adc1df97033110cdf1bd9e9763559fe17811e2234013e4d57fa23b6ddbb207 TrojanSpy.Win32.LOKI.TIOIBYTU fb37c52635a47cacba754f811ec64937aa6da3c0ced0162c201748b38952e164 TrojanSpy.Win32.LOKI.TIOIBYTU **Like it? Add this infographic to your site:** 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V). Image will appear the same size as you see above. ----- [Posted in Cybercrime & Digital Threats](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats) -----