X-Industry

loki (3)

Summary

Wapack Labs observed malicious email trending on CTAC which detected an uptick in Darwish Trading Company (DTC) spoofing.  Hackers pretend to be from this Qatari company as it has a wide range of business activities to include servicing the oil and gas sector.  During 29 March 2019 – 3 April 2019, these samples were seen delivering Lokibot and PonyLoader malware.

Details…

Summary

Loki is a very popular bot/stealer malware which has been for sale in the underground since 2015.  In 2017, two hackers from the Russian hacking forum fuckav.ru cracked Loki and released a cracked builder.  Once the cracked builder was released new unofficial versions of Loki were found for sale in novice English speaking forums for less than the original version. 


This report provides details on the following Loki…

Summary

Hackers are using “SWIFT monetary transfer” themed files to lure users into opening them.  These files have been identified malicious.  Wapack Labs studied a sample group of SWIFT-themed malicious files during a 30 days period in February-March 2019.  Nearly half are classified as Lokibot, and 12 percent were detected exploiting CVE-2017-11882 "Microsoft Office Memory Corruption Vulnerability."  Most of the samples were submitted from either Ukraine, the Czech…