SoylentNews is people
SoylentNews
from the do-not-open-suspicious-emails dept.
Arthur T Knackerbracket has found the following story:
A large U.S. manufacturing company is the latest organization to be targeted with the LokiBot trojan – although this most recent campaign harbored some bizarre red flags.
The well-known LokiBot malware has popped up in several malicious spam campaigns over the past year, covertly siphoning information from victims’ compromised endpoints. Researchers this week are warning of the most recent sighting of the malware, which was recently spotted in spam messages targeting a large U.S. manufacturing company.
Researchers first discovered the campaign on Aug. 21 after an unnamed U.S. semiconductor distributor received a spam email sent to the sales department from a potentially compromised “trusted” sender. The email, purporting to be distributing an attached request for quotation, was actually harboring prolific trojan LokiBot. “The attack is pretty straightforward,” said Fortinet researchers in a Tuesday analysis of the attack. “The LokiBot sample has a file size of 286 KB and was recently compiled on Aug 21, which is coincidentally the same date as when the malicious spam was sent…. The spam email then encourages the user to open the attachment as the senders’ colleague is currently out of office, and at the same time offers the potential victim some assurance that he/she can provide further clarification of the contents within the document if needed.”
Despite the spam email (titled “Urgent Request for Quotation #RFQE67Y54”) coming from a trusted sender, there were several tell-tale signs that might give away the email as malicious.
While the email is “simple in appearance,” it contained language that appears to be written by a non-native English speaker and contained spelling errors. For instance, the email states, “Please see ‘attache'”, when referring to an “RFQ” (or a “request for quotation”). Another giveaway is that a closer look at the attached file’s information shows it to be curiously named “Dora Explorer Games,” which is in reference to the children’s’ TV heroine from the show “Dora The Explorer” – a strange name for a file that purports to be related to manufacturing.
[...] Once opened, the file actually harbors LokiBot malware, which is known for stealing a variety of credentials, including FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials.
[...] The IP address of this attack is registered to a webhosting provider in Phoenix, Ariz. (called LeaseWeb USA), which was previously used twice before in malicious spam attacks that occurred in June.
(Score: 1) by anubi on Thursday September 12 2019, @12:14AM
If this had been opened in an Android phone, would the dirty work still be done?
You know...different OS. Maybe not as vulnerable as a business system.
I have for quite some time been opening questionable email in my phone.
I have more common sense than go in a business wearing a mask, which may conceal evil, but businesses still think it's OK to send me stuff which may also be used to conceal evil.
Now, the onus is on me to handle their business communication like a filthy object, opening their mail with standalone systems, or handling unknown specimens handed to me with tongs and gloves
I wish we could have kept the plain old ASCII text mode for low level business use. At least I could trust it. I have Congress to thank for this mess...with all their copyright crap. Leaving a lot of us dreaming up schemes to do things in the dark...like embedding executables in a document.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]