Microsoft Spots Malicious Messages Spreading LokiBot Infostealer
Fraudsters are honing their phishing emails tied to the COVID-19 crisis, using fake messages about business continuity plans and new payment procedures to spread the LokiBot information stealer, Microsoft researchers report.
See Also: The Evolution of Email Security
In a series of tweets, the Microsoft Security Intelligence team posted examples of these messages. One email contained the subject line: “Business continuity plan announcement starting May 2020.” Another subject line announced: “E-Payment Bank Transactions,” with the body of the phishing email describing how payments by check will no longer be accepted during the COVID-19 pandemic.
Recent campaigns that deliver Lokibot, one of the first malware families to use COVID-19 lures, are showing a slight shift in tone reflecting current conversations, with subject lines like “BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MAY 2020” pic.twitter.com/vahi8VAsry
— Microsoft Security Intelligence (@MsftSecIntel) May 13, 2020
The phishing emails contain malicious attachments that, if opened, enabled macros that install the LokiBot information stealer, according to Microsoft.
The LokiBot malware has the ability to capture a wide range of information, such as passwords stored in a browser, email passwords and FTP credentials, according to a report by FortiGuard Labs, the research arm of Fortinet.
Since the World Health Organization declared COVID-19 a global pandemic in March, fraudsters, cybercriminals and even some nation-state threat actors have used the healthcare emergency to further their own goals, whether it’s stealing credentials or spreading malware. LokiBot has proven to be one of the more popular malware variants used in phishing campaigns (see: Nation-State Hackers Using COVID-19 Fears to Spread Malware).
Several Nigerian-based gangs also have used LokiBot in their business email compromise schemes.
Latest Phishing Emails
Microsoft Security Intelligence first discovered the new phishing tactics in messages dated May 6 and May 7.
The phishing campaigns use ARJ files – a compression format for creating very efficient zipped files. Each file contains a malicious Microsoft Excel file. If it’s opened, the LokiBot payload is injected in the Windows’ dynamic link library.
Recent phishing email spreading LokiBot (Source: Microsoft)
LokiBot can be difficult to detect because some anti-virus scanners will skip checking ARJ files, especially if a password is used to encrypt files, Tanmay Ganacharya, the director of security research at Microsoft Threat Protection, told BleepingComputer.
Increase in COVID-19 Scams
On Tuesday, security firm Check Point Software reported that its researchers have recorded 192,000 COVID-19-related attacks each week for the past three weeks. These attacks include the deployment of malicious domains and phishing emails.
Check Point also found that nearly 20,000 new domains using either COVID-19 or coronavirus in their names have been registered in the last three weeks. Of these, about 17% are considered suspicious or malicious.
Meanwhile, credit rating agency TransUnion found that telecommunications, ecommerce and financial services industries have been most affected by COVID-19-related fraud – including credit card fraud, and identity theft.
And VMware Carbon Black reported Thursday that it’s recorded a 238% increase in cyber incidents targeting banks and other financial institutions between February and April that appear related to the start of the COVID-19 pandemic. Cryptocurrency miners and Emotet malware are commonly used, the company notes (see: Emotet Malware Alert Sounded by US Cybersecurity Agency).