Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday September 11 2019, @09:53PM   Printer-friendly
from the do-not-open-suspicious-emails dept.

Arthur T Knackerbracket has found the following story:

A large U.S. manufacturing company is the latest organization to be targeted with the LokiBot trojan – although this most recent campaign harbored some bizarre red flags.

The well-known LokiBot malware has popped up in several malicious spam campaigns over the past year, covertly siphoning information from victims’ compromised endpoints. Researchers this week are warning of the most recent sighting of the malware, which was recently spotted in spam messages targeting a large U.S. manufacturing company.

Researchers first discovered the campaign on Aug. 21 after an unnamed U.S. semiconductor distributor received a spam email sent to the sales department from a potentially compromised “trusted” sender. The email, purporting to be distributing an attached request for quotation, was actually harboring prolific trojan LokiBot. “The attack is pretty straightforward,” said Fortinet researchers in a Tuesday analysis of the attack. “The LokiBot sample has a file size of 286 KB and was recently compiled on Aug 21, which is coincidentally the same date as when the malicious spam was sent…. The spam email then encourages the user to open the attachment as the senders’ colleague is currently out of office, and at the same time offers the potential victim some assurance that he/she can provide further clarification of the contents within the document if needed.”

Despite the spam email (titled “Urgent Request for Quotation #RFQE67Y54”) coming from a trusted sender, there were several tell-tale signs that might give away the email as malicious.

While the email is “simple in appearance,” it contained language that appears to be written by a non-native English speaker and contained spelling errors. For instance, the email states, “Please see ‘attache'”, when referring to an “RFQ” (or a “request for quotation”). Another giveaway is that a closer look at the attached file’s information shows it to be curiously named “Dora Explorer Games,” which is in reference to the children’s’ TV heroine from the show “Dora The Explorer” – a strange name for a file that purports to be related to manufacturing.

[...] Once opened, the file actually harbors LokiBot malware, which is known for stealing a variety of credentials, including FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials.

[...] The IP address of this attack is registered to a webhosting provider in Phoenix, Ariz. (called LeaseWeb USA), which was previously used twice before in malicious spam attacks that occurred in June.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Funny) by Anonymous Coward on Wednesday September 11 2019, @11:18PM

    by Anonymous Coward on Wednesday September 11 2019, @11:18PM (#892956)

    While the email is “simple in appearance,” it contained language that appears to be written by a non-native English speaker and contained spelling errors. For instance, the email states, “Please see ‘attache'”, when referring to an “RFQ” (or a “request for quotation”).

    So here we were yesterday comparing the first email of the day from the boss against the most recent phishing message. Each two sentences long, and barely intelligible - the phish presumed to be an off-shore non-native English speaker, while the boss is descendant from a long line of locals, a full term of education and therfore no fucking excuse. One of them had personal pronouns side by side and interchanged in the sentence, the other had verbs missing, tense wrong and an inability to define the opposite of "yes". Without the from field you wouldn't be able to classify them differently. Personally, if the phisher makes an offer, I'm taking it - at least he has demonstrable initiative.

    Starting Score:    0  points
    Moderation   +3  
       Interesting=1, Funny=2, Total=3
    Extra 'Funny' Modifier   0  

    Total Score:   3