loki - Banking & Finance - Red Sky Alliance
2024-03-28T12:27:35Z
https://redskyalliance.org/Finance/feed/tag/loki
SWIFT-Themed Malware Trending: Lokibot Domination
https://redskyalliance.org/Finance/swift-themed-malware-trending-lokibot-domination
2019-04-02T20:02:09.000Z
2019-04-02T20:02:09.000Z
Yury Polozov
https://redskyalliance.org/members/YuryPolozov
<div><p><strong>Summary</strong></p><p>Hackers are using “SWIFT monetary transfer” themed files to lure users into opening them. These files have been identified malicious. Wapack Labs studied a sample group of SWIFT-themed malicious files during a 30 days period in February-March 2019. Nearly half are classified as Lokibot, and 12 percent were detected exploiting CVE-2017-11882 "Microsoft Office Memory Corruption Vulnerability." Most of the samples were submitted from either Ukraine, the Czech Republic or the US. In several cases, the malware samples were attached to emails that also used social engineering referencing HSBC bank transfers.</p><p><strong>Details</strong></p><p><strong><a href="{{#staticFileLink}}1718016109,RESIZE_1200x{{/staticFileLink}}" target="_blank" rel="noopener"><img class="align-full" style="padding: 3px;" src="{{#staticFileLink}}1718016109,RESIZE_710x{{/staticFileLink}}" width="710"/></a></strong></p><p>Figure 1. MS Office file “mt103_swift_payment_copy” prompts users to enable malicious macros <a id="_ftnref1" rel="nofollow" name="_ftnref1"></a>[1]</p><p><strong>A SWIFT-themed sample</strong></p><p>Wapack Labs analyzed malicious samples uploaded to Virus Total (VT) during 21 February 2019 – 22 March 2019, that had either “SWIFT Transfer” or “SWIFT payment” string in the filename.<a id="_ftnref2" rel="nofollow" name="_ftnref2"></a>[2] A total of 33 submitted files were discovered, 13 for “SWIFT Transfer” and 20 for “SWIFT payment.” In several cases, the malware samples were tracked back to malicious emails that were spoofed to look like from HSBC bank (Figure 2).</p><p><a href="{{#staticFileLink}}1718020294,RESIZE_1200x{{/staticFileLink}}" target="_blank" rel="noopener"><img class="align-full" style="padding: 3px;" src="{{#staticFileLink}}1718020294,RESIZE_710x{{/staticFileLink}}" width="710"/></a></p><p>Figure 2. Malicious .ace Lokibot attachments in March 2019 email spoofing HSBC bank</p><p>The most common file names were “Swift Payment Copy” and “Swift Transfer Copy103_PDF.ace”. The string “SWIFT Transfer (103)” is present in 24 percent of the studied malicious file names (See Appendix A).</p><p><strong>Detection Trends</strong></p><p>Among the specimens, 48% had detections for Lokibot (Loki) malware. It is possible the real share of Lokibot campaigns may be even larger: some files had low generic detection, and some samples could be a previous stage malware involved in a Lokibot campaign (Table 1).</p><p>Table 1. Malware detection among SWIFT-themed samples</p><table><tbody><tr><td width="270"><p>Malware Detection</p></td><td width="138"><p>Frequency</p></td></tr><tr><td width="270"><p>Lokibot</p></td><td width="138"><p>48 %</p></td></tr><tr><td width="270"><p>Exploit.CVE-2017-11882</p></td><td width="138"><p>12 %</p></td></tr><tr><td width="270"><p>Fuerboos</p></td><td width="138"><p>6 %</p></td></tr><tr><td width="270"><p>Pony</p></td><td width="138"><p>6 %</p></td></tr><tr><td width="270"><p>BAT/Donoff/Razy</p></td><td width="138"><p>3 %</p></td></tr><tr><td width="270"><p>Exploit.CVE-2018-0802</p></td><td width="138"><p>3 %</p></td></tr><tr><td width="270"><p>Fareit</p></td><td width="138"><p>3 %</p></td></tr><tr><td width="270"><p>Heye</p></td><td width="138"><p>3 %</p></td></tr><tr><td width="270"><p>Nanobot</p></td><td width="138"><p>3 %</p></td></tr><tr><td width="270"><p>Neshta</p></td><td width="138"><p>3 %</p></td></tr><tr><td width="270"><p>PWS:Win32/Primarypass</p></td><td width="138"><p>3 %</p></td></tr><tr><td width="270"><p>RTF/Downloader</p></td><td width="138"><p>3 %</p></td></tr><tr><td width="270"><p>Trojan[Downloader]/MSOffice.Agent</p></td><td width="138"><p>3 %</p></td></tr></tbody></table><p>Samples detected by antiviruses, such as Exploit.CVE-2017-11882 (“Microsoft Office Memory Corruption Vulnerability”), were logged as second place. Other detections were in single digits, including other known malware such as Pony, Neshta, Heye, and others (Table 1).</p><p>Table 2. Malware extensions among SWIFT-themed samples</p><table><tbody><tr><td width="208"><p>Extension</p></td><td width="176"><p>Frequency</p></td></tr><tr><td width="208"><p>Win32 EXE</p></td><td width="176"><p>36 %</p></td></tr><tr><td width="208"><p>Rich Text Format</p></td><td width="176"><p>18 %</p></td></tr><tr><td width="208"><p>ACE</p></td><td width="176"><p>15 %</p></td></tr><tr><td width="208"><p>ISO image</p></td><td width="176"><p>6 %</p></td></tr><tr><td width="208"><p>Outlook</p></td><td width="176"><p>6 %</p></td></tr><tr><td width="208"><p>RAR</p></td><td width="176"><p>6 %</p></td></tr><tr><td width="208"><p>ZIP</p></td><td width="176"><p>6 %</p></td></tr><tr><td width="208"><p>MS Excel Spreadsheet</p></td><td width="176"><p>3 %</p></td></tr><tr><td width="208"><p>Office Open XML Spreadsheet</p></td><td width="176"><p>3 %</p></td></tr></tbody></table><p>Win32 EXE (36%), Rich Text Format (18%), and ACE (15%) were the top three extensions (Table 2). Lokibot samples accounted for the majority of .exe, .ace, and compressed malicious files.</p><p>Several malicious domains and IPs were detected that were used as C2s for these samples and some were used to download next stage malware. Wapack Labs have already sinkholed two domains detected for Lokibot samples, alphastand.win and kbfvzoboss.bid (see the Indicators Table below).</p><p>Among the .rtf and .xlsx attachments, CVE-2017-11882 was the most common. Table 3 shows the observed CVEs.</p><p>Table 3. Exploits in SWIFT-themed .rtf and .xlsx samples</p><table><tbody><tr><td width="208"><p>Vulnerability</p></td><td width="176"><p>Frequency</p></td></tr><tr><td width="208"><p>CVE-2017-11882</p></td><td width="176"><p>83 %</p></td></tr><tr><td width="208"><p>CVE-2012-0158</p></td><td width="176"><p>50 %</p></td></tr><tr><td width="208"><p>CVE-2017-0199</p></td><td width="176"><p>33 %</p></td></tr><tr><td width="208"><p>CVE-2010-3333</p></td><td width="176"><p>17 %</p></td></tr><tr><td width="208"><p>CVE-2017-1182</p></td><td width="176"><p>17 %</p></td></tr><tr><td width="208"><p>CVE-2017-8570</p></td><td width="176"><p>17 %</p></td></tr><tr><td width="208"><p>CVE-2018-0798</p></td><td width="176"><p>17 %</p></td></tr><tr><td width="208"><p>CVE-2018-0802</p></td><td width="176"><p>17 %</p></td></tr></tbody></table><p>Top three observed vulnerabilities were CVE-2017-11882 "Microsoft Office Memory Corruption Vulnerability" at 83 percent. CVE-2012-0158 “MSCOMCTL.OCX RCE Vulnerability” with 50 percent, and CVE-2017-0199 "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API" at 33 percent. In one case, newer vulnerabilities were observed: CVE-2018-0798 and CVE-2018-0802 (Table 3).</p><p><strong>Submission Geolocation</strong></p><p>Fifteen (15) percent of the samples were submitted from the US. Different European countries were the most common target with Ukraine (21%), Czech Republic (18%), and France (12%) being in the top 5 (Table 4).</p><p>Table 4. Countries of submission of SWIFT-themed malware</p><table><tbody><tr><td width="208"><p>Country</p></td><td width="176"><p>Frequency</p></td></tr><tr><td width="208"><p>UA</p></td><td width="176"><p>21%</p></td></tr><tr><td width="208"><p>CZ</p></td><td width="176"><p>18%</p></td></tr><tr><td width="208"><p>US</p></td><td width="176"><p>15%</p></td></tr><tr><td width="208"><p>ZZ (unknown)</p></td><td width="176"><p>15%</p></td></tr><tr><td width="208"><p>FR</p></td><td width="176"><p>12%</p></td></tr><tr><td width="208"><p>DE, GB, KR, NG, RU</p></td><td width="176"><p>6% each</p></td></tr><tr><td width="208"><p>CH, ES, HR, HU, IN, IT, JP, SG</p></td><td width="176"><p>3% each</p></td></tr></tbody></table><p><strong>Conclusion</strong></p><p>SWIFT inter-banking payment system remains one of the more popular social engineering themes among malicious emails. Fortunately, user education can go a long way in mitigating these attacks as all require user-interaction for malware installation to be successful. Lokibot is likewise a popular infostealer malware and accounts for a large amount of Wapack Labs sinkhole traffic.</p><p> </p><p><strong>Indicators</strong></p><table style="height: 1726px;" width="624"><tbody><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>Indicator</p></td><td style="height: 29px;" width="52"><p>Type</p></td><td style="height: 29px;" width="60"><p>Kill_Chain_Phase</p></td><td style="height: 29px;" width="66"><p>First_Seen</p></td><td style="height: 29px;" width="66"><p>Last_Seen</p></td><td style="height: 29px;" width="90"><p>Comments</p></td><td style="height: 29px;" width="62"><p>Attribution</p></td></tr><tr style="height: 45px;"><td style="height: 45px;" width="229"><p>http://kamagra4uk[.]com/gon/okim/oookkkk.exe</p></td><td style="height: 45px;" width="52"><p>URL</p></td><td style="height: 45px;" width="60"><p>Delivery</p></td><td style="height: 45px;" width="66"><p>03/19/2019</p></td><td style="height: 45px;" width="66"><p>03/19/2019</p></td><td style="height: 45px;" width="90"><p>SWIFT Transfer (103) FT19063QCWFG.doc</p></td><td style="height: 45px;" width="62"><p> </p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>kamagra4uk.com</p></td><td style="height: 29px;" width="52"><p>Domain</p></td><td style="height: 29px;" width="60"><p>C2</p></td><td style="height: 29px;" width="66"><p>02/14/2019</p></td><td style="height: 29px;" width="66"><p>03/24/2019</p></td><td style="height: 29px;" width="90"><p>Known malicious source</p></td><td style="height: 29px;" width="62"><p> </p></td></tr><tr style="height: 45px;"><td style="height: 45px;" width="229"><p>hxxp://23.249.163[.]126/link/E0.exe</p></td><td style="height: 45px;" width="52"><p>URL</p></td><td style="height: 45px;" width="60"><p>Delivery</p></td><td style="height: 45px;" width="66"><p>03/15/2019</p></td><td style="height: 45px;" width="66"><p>03/15/2019</p></td><td style="height: 45px;" width="90"><p>Downloader for SWIFT-themed malware</p></td><td style="height: 45px;" width="62"><p> </p></td></tr><tr style="height: 45px;"><td style="height: 45px;" width="229"><p>23.249.163.126</p></td><td style="height: 45px;" width="52"><p>IP</p></td><td style="height: 45px;" width="60"><p>C2</p></td><td style="height: 45px;" width="66"><p>09/10/2015</p></td><td style="height: 45px;" width="66"><p>03/21/2019</p></td><td style="height: 45px;" width="90"><p>Downloader for SWIFT-themed malware</p></td><td style="height: 45px;" width="62"><p> </p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>http://simeonolo[.]tk/raphael/fre.php</p></td><td style="height: 29px;" width="52"><p>URL</p></td><td style="height: 29px;" width="60"><p>C2</p></td><td style="height: 29px;" width="66"><p>03/03/2019</p></td><td style="height: 29px;" width="66"><p>03/03/2019</p></td><td style="height: 29px;" width="90"><p> </p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 45px;"><td style="height: 45px;" width="229"><p>simeonolo.tk</p></td><td style="height: 45px;" width="52"><p>Domain</p></td><td style="height: 45px;" width="60"><p>C2</p></td><td style="height: 45px;" width="66"><p>02/25/2019</p></td><td style="height: 45px;" width="66"><p>03/24/2019</p></td><td style="height: 45px;" width="90"><p>SWIFT TRANSFER (103) 001FTLC183520369.exe</p></td><td style="height: 45px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 45px;"><td style="height: 45px;" width="229"><p>198.23.191.102</p></td><td style="height: 45px;" width="52"><p>IP</p></td><td style="height: 45px;" width="60"><p>Delivery</p></td><td style="height: 45px;" width="66"><p>02/21/2019</p></td><td style="height: 45px;" width="66"><p>03/27/2019</p></td><td style="height: 45px;" width="90"><p>Source for CoinStealer and other malware</p></td><td style="height: 45px;" width="62"><p> </p></td></tr><tr style="height: 45px;"><td style="height: 45px;" width="229"><p>hxxp://198.23.191[.]102/xml/luc.exe</p></td><td style="height: 45px;" width="52"><p>URL</p></td><td style="height: 45px;" width="60"><p>Delivery</p></td><td style="height: 45px;" width="66"><p>02/21/2019</p></td><td style="height: 45px;" width="66"><p>02/21/2019</p></td><td style="height: 45px;" width="90"><p>SWIFT Transfer (103) REF 076907062017.doc</p></td><td style="height: 45px;" width="62"><p> </p></td></tr><tr style="height: 45px;"><td style="height: 45px;" width="229"><p>http://ophtyeifns[.]cf/raphael/fre.php</p></td><td style="height: 45px;" width="52"><p>URL</p></td><td style="height: 45px;" width="60"><p>C2</p></td><td style="height: 45px;" width="66"><p>03/21/2019</p></td><td style="height: 45px;" width="66"><p>03/21/2019</p></td><td style="height: 45px;" width="90"><p>copy of swift payment 18032019.exe</p></td><td style="height: 45px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>http://oppws[.]cn/broker/five/fre.php</p></td><td style="height: 29px;" width="52"><p>URL</p></td><td style="height: 29px;" width="60"><p>C2</p></td><td style="height: 29px;" width="66"><p>03/22/2019</p></td><td style="height: 29px;" width="66"><p>03/22/2019</p></td><td style="height: 29px;" width="90"><p> </p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>oppws.cn</p></td><td style="height: 29px;" width="52"><p>Domain</p></td><td style="height: 29px;" width="60"><p>C2</p></td><td style="height: 29px;" width="66"><p>02/21/2019</p></td><td style="height: 29px;" width="66"><p>03/27/2019</p></td><td style="height: 29px;" width="90"><p> </p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 45px;"><td style="height: 45px;" width="229"><p>http://kbfvzoboss[.]bid/alien/fre.php</p></td><td style="height: 45px;" width="52"><p>URL</p></td><td style="height: 45px;" width="60"><p>C2</p></td><td style="height: 45px;" width="66"><p>07/06/2017</p></td><td style="height: 45px;" width="66"><p>03/23/2019</p></td><td style="height: 45px;" width="90"><p>Lokibot C2 sinkholed by Wapack Labs</p></td><td style="height: 45px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 45px;"><td style="height: 45px;" width="229"><p>kbfvzoboss.bid</p></td><td style="height: 45px;" width="52"><p>Domain</p></td><td style="height: 45px;" width="60"><p>C2</p></td><td style="height: 45px;" width="66"><p>03/21/2017</p></td><td style="height: 45px;" width="66"><p>03/27/2019</p></td><td style="height: 45px;" width="90"><p>Lokibot C2 sinkholed by Wapack Labs</p></td><td style="height: 45px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>http://shirkeswitch[.]net/cbn/okc/shri%20kc.exe</p></td><td style="height: 29px;" width="52"><p>URL</p></td><td style="height: 29px;" width="60"><p>Delivery</p></td><td style="height: 29px;" width="66"><p>03/06/2019</p></td><td style="height: 29px;" width="66"><p>03/06/2019</p></td><td style="height: 29px;" width="90"><p>mt103_swift_payment_copy.xlsx</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>shirkeswitch.net</p></td><td style="height: 29px;" width="52"><p>Domain</p></td><td style="height: 29px;" width="60"><p>Delivery</p></td><td style="height: 29px;" width="66"><p>02/28/2019</p></td><td style="height: 29px;" width="66"><p>03/25/2019</p></td><td style="height: 29px;" width="90"><p> </p></td><td style="height: 29px;" width="62"><p>Trojan.Tasker</p></td></tr><tr style="height: 45px;"><td style="height: 45px;" width="229"><p>http://alphastand[.]win/alien/fre.php</p></td><td style="height: 45px;" width="52"><p>URL</p></td><td style="height: 45px;" width="60"><p>C2</p></td><td style="height: 45px;" width="66"><p>11/21/2017</p></td><td style="height: 45px;" width="66"><p>03/14/2019</p></td><td style="height: 45px;" width="90"><p>Lokibot C2 sinkholed by Wapack Labs</p></td><td style="height: 45px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>http://alphastand[.]top/alien/fre.php</p></td><td style="height: 29px;" width="52"><p>URL</p></td><td style="height: 29px;" width="60"><p>C2</p></td><td style="height: 29px;" width="66"><p>03/14/2019</p></td><td style="height: 29px;" width="66"><p>03/21/2019</p></td><td style="height: 29px;" width="90"><p>Swift Payment 2018-pdf.exe</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>alphastand.top</p></td><td style="height: 29px;" width="52"><p>Domain</p></td><td style="height: 29px;" width="60"><p>C2</p></td><td style="height: 29px;" width="66"><p>10/23/2018</p></td><td style="height: 29px;" width="66"><p>03/23/2019</p></td><td style="height: 29px;" width="90"><p> </p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>http://alphastand[.]trade/alien/fre.php</p></td><td style="height: 29px;" width="52"><p>URL</p></td><td style="height: 29px;" width="60"><p>C2</p></td><td style="height: 29px;" width="66"><p>03/21/2019</p></td><td style="height: 29px;" width="66"><p>03/21/2019</p></td><td style="height: 29px;" width="90"><p>Swift Payment 2018-pdf.exe</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>alphastand.trade</p></td><td style="height: 29px;" width="52"><p>Domain</p></td><td style="height: 29px;" width="60"><p>C2</p></td><td style="height: 29px;" width="66"><p>02/28/2019</p></td><td style="height: 29px;" width="66"><p>03/27/2019</p></td><td style="height: 29px;" width="90"><p> </p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>765a1c515f085fa49ec7cced37fc8a42</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/19/2019</p></td><td style="height: 29px;" width="66"><p>03/19/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>4364db8b13c277e5a02a0e6f6ad21650</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/08/2019</p></td><td style="height: 29px;" width="66"><p>03/08/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Exploit.CVE-2017-11882</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>aad733295bee1604883c31dfaf8d65d5</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/08/2019</p></td><td style="height: 29px;" width="66"><p>03/08/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>bd1a572407c04e1ede2daee667bde7ed</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/07/2019</p></td><td style="height: 29px;" width="66"><p>03/07/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>6969c449428da00cbcc0590f7faa5a6f</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/05/2019</p></td><td style="height: 29px;" width="66"><p>03/05/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Exploit.CVE-2017-11882</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>5f0fef9219bea459e8a208ae0dd50a47</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>02/27/2019</p></td><td style="height: 29px;" width="66"><p>02/27/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Heye</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>bdc79f5e382c2f1a66aa7e0b54ff8977</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>02/26/2019</p></td><td style="height: 29px;" width="66"><p>02/26/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>b33af2043786b54831d73d7dbf9826fd</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>02/25/2019</p></td><td style="height: 29px;" width="66"><p>02/25/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>PWS:Win32/Primarypass</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>1b9296800f7ba024266fc9a986a2957e</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>02/25/2019</p></td><td style="height: 29px;" width="66"><p>02/25/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Trojan[Downloader]/MSOffice.Agent</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>00be6d57beddee4d6c5caad825085f9c</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>02/25/2019</p></td><td style="height: 29px;" width="66"><p>02/25/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>8fdaf7751d5570699dad8548945f381c</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>02/25/2019</p></td><td style="height: 29px;" width="66"><p>02/25/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>cd6661b14d959f09bd1513acf96f314a</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>02/23/2019</p></td><td style="height: 29px;" width="66"><p>02/23/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Fareit</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>be667d77aa73e1081c7ed23b083115ec</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>02/21/2019</p></td><td style="height: 29px;" width="66"><p>02/21/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>RTF/Downloader</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>f49a534fbbb1f197b6b78eed7732fc25</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/22/2019</p></td><td style="height: 29px;" width="66"><p>03/22/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>1cbecea4f738ab2b7b3727e0a73421be</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/21/2019</p></td><td style="height: 29px;" width="66"><p>03/21/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Pony</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>3ad76747bfc9a1bde902fde2bc67aff6</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/21/2019</p></td><td style="height: 29px;" width="66"><p>03/21/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Pony</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>312179934596ef63942d0e0fd004317d</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/21/2019</p></td><td style="height: 29px;" width="66"><p>03/21/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>075ffadd5f3b5ebc09e8754fc5655c1e</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/21/2019</p></td><td style="height: 29px;" width="66"><p>03/21/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>4ab00512245631b8b72ae8c6c0ede7a5</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/20/2019</p></td><td style="height: 29px;" width="66"><p>03/20/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Nanobot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>096a65eacac3180a4bd35a9dbf8a119f</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/19/2019</p></td><td style="height: 29px;" width="66"><p>03/19/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>BAT/Donoff/Razy</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>8dfe2253473211d94478063ec5ae4318</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/19/2019</p></td><td style="height: 29px;" width="66"><p>03/19/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Fuerboos</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>d33b98453d4cdb9d558b937ac7098bec</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/18/2019</p></td><td style="height: 29px;" width="66"><p>03/18/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Exploit.CVE-2017-11882</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>fb1e0e3d3a4301c0286fcd0c6b23d566</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/12/2019</p></td><td style="height: 29px;" width="66"><p>03/12/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>35325353f2120196612f59743ebc6a42</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/11/2019</p></td><td style="height: 29px;" width="66"><p>03/11/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>590caf9ac91d00be9cb4935ace2e228d</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/11/2019</p></td><td style="height: 29px;" width="66"><p>03/11/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>df10d53360c6476bd5bf768584814161</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/11/2019</p></td><td style="height: 29px;" width="66"><p>03/11/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>4da7e2ae11547e9e0ce4e8b56b75b831</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/11/2019</p></td><td style="height: 29px;" width="66"><p>03/11/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>ac1e78785003244871a7fe0d08cf45f4</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/08/2019</p></td><td style="height: 29px;" width="66"><p>03/08/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>797f73a9caf1794f767f13e2dccc7178</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/07/2019</p></td><td style="height: 29px;" width="66"><p>03/07/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Exploit.CVE-2018-0802</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>720e68135c6186d147cf92e7e445de8f</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/06/2019</p></td><td style="height: 29px;" width="66"><p>03/06/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Neshta</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>52bd6f94f7f4eba350d2530b487800cd</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>03/06/2019</p></td><td style="height: 29px;" width="66"><p>03/06/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Exploit.CVE-2017-11882</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>fd76164f55c9862a2f63d2161a5ecb92</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>02/25/2019</p></td><td style="height: 29px;" width="66"><p>02/25/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Fuerboos</p></td></tr><tr style="height: 29px;"><td style="height: 29px;" width="229"><p>44d8f0672222de5abd740b12341a86aa</p></td><td style="height: 29px;" width="52"><p>MD5</p></td><td style="height: 29px;" width="60"><p>Exploitation</p></td><td style="height: 29px;" width="66"><p>02/21/2019</p></td><td style="height: 29px;" width="66"><p>02/21/2019</p></td><td style="height: 29px;" width="90"><p>SWIFT-themed malware</p></td><td style="height: 29px;" width="62"><p>Lokibot</p></td></tr></tbody></table><p><strong> </strong></p><p>Prepared by:Yury Polozov<br/> Reviewed by: B. Schenkelberg<br/> Approved by: C. Hall/J. McKee</p><p> </p><p>For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or <a href="mailto:feedback@wapacklabs.com?subject=Feedback:%20Electorate%20trolling" rel="nofollow">feedback@wapacklabs.com</a>.</p><p> </p><p><strong>Appendix A. SWIFT-themed malware file names</strong></p><table><tbody><tr><td width="528"><p>copy of swift payment 18032019.exe</p><p>copy of swift payment 18032019.iso</p><p>FW_ Swift Payment Copy - Incorrect Bank Details provided.msg</p><p>mt103_swift_payment_copy.xlsx</p><p>PAYMENT SWIFT.exe</p><p>Swift Payment 2018-pdf.exe</p><p>SWIFT PAYMENT CONFIRMATION ELECTRONIC DOC0000output35C6C0.rar</p><p>Swift Payment Copy-pdf.exe</p><p>Swift Payment Copy.ace</p><p>Swift Payment Copy.doc</p><p>SWIFT PAYMENT COPY.exe</p><p>Swift Payment Copy.exe</p><p>SWIFT PAYMENT COPY.pdf.7z</p><p>Swift Payment Slip.exe</p><p>Swift Payment ZIP.arj</p><p>Swift Payment-7382992.scr</p><p>SWIFT PAYMENT.doc</p><p>SWIFT TRANSFER (/SWIFT TRANSFER (103) 001FTLC183520369.exe</p><p>SWIFT TRANSFER (103) 001FTLC183520369.iso</p><p>SWIFT TRANSFER (103) 001FTLC183520369.msg</p><p>SWIFT Transfer (103) 001FTLC183520369.xls</p><p>SWIFT Transfer (103) FT19063QCWFG.doc</p><p>SWIFT Transfer (103) FT19063QCWFG.doc</p><p>SWIFT Transfer (103) REF 076907062017.doc</p><p>SWIFT TRANSFER (103)\r 001FTLC183520369.iso</p><p>Swift Transfer Copy10.pdf.ace</p><p>Swift Transfer Copy103_PDF.ace</p><p>Swift Transfer Copy103_PDF.ace</p><p>Swift Transfer Copy103_PDF.ace</p><p>Swift Transfer Payment Slip.exe</p><p>Swift transfer.exe-2019-02-27.20-04-01.txt</p><p>swift_payment_copy.doc</p><p>Swift_Payment.exe</p><p>Swift_Payment.zip</p></td></tr></tbody></table><p><strong> </strong></p><p> </p><p><a id="_ftn1" rel="nofollow" name="_ftn1"></a>[1] hybrid-analysis.com/sample/cdcd4b6963f006947de99bf95e224de8ac7ae7d3a36a3f8575fc70fc7c93ff07</p><p><a id="_ftn2" rel="nofollow" name="_ftn2"></a>[2] The Society for Worldwide Interbank Financial Telecommunication (SWIFT) provides a network that enables financial institutions worldwide to send and receive information about financial transactions in a secure, standardized and reliable environment.</p></div>