european - Transportation - Red Sky Alliance2024-03-28T13:20:56Zhttps://redskyalliance.org/transportation/feed/tag/europeanLokibot in Portugalhttps://redskyalliance.org/transportation/lokibot-in-portugal2019-01-31T17:21:41.000Z2019-01-31T17:21:41.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p>The European Maritime Safety Agency (EMSA) in Lisbon Portugal, may be infected with the Lokibot trojan malware and connecting directly to an owned C2 domain in Ho Chi Minh City Vietnam.  Caution should be exercised in any cyber interactions with the EMSA IP: 91.231.216.116.</p>
<p><strong>Details:</strong></p>
<p>During routine collection and analysis for maritime sector threats and vulnerabilities, Wapack Labs Cyber Threat Analysis Center (CTAC) produced 5 hits on 27 January 2019.  Analysis indicated that the European Maritime Safety Agency (EMSA) is likely infected with the Lokibot malware, which is calling back to the C2 located in Ho Chi Minh City, Vietnam.  The EMSA is a European Union (EU) agency charged with reducing the risk of maritime accidents, marine pollution from ships and the loss of human lives at sea by helping to enforce the pertinent EU legislation. It is headquartered in Lisbon, Portugal (PT).<a href="#_ftn1" name="_ftnref1" id="_ftnref1">[1]</a></p>
<p><br />
European Maritime Safety Agency</p>
<p>Agency executive: Markku Mylly, Director</p>
<p>Jurisdiction: European Union</p>
<p>Founded: August 25, 2002</p>
<p>Address: Praça Europa 4, Cais do Sodré, 1249-206 LISBON, Portugal</p>
<p>Tel: +351 21 1209 281</p>
<p>Domain: hxxp://www.emsa.europa[.]eu/</p>
<p><a href="{{#staticFileLink}}932765064,RESIZE_710x{{/staticFileLink}}" target="_blank" rel="noopener"><img class="align-full" src="{{#staticFileLink}}932765064,RESIZE_710x{{/staticFileLink}}" width="425" height="162" /></a>Figure 1. EMSA Lisbon Portugal</p>
<p><a href="{{#staticFileLink}}932766924,original{{/staticFileLink}}" target="_blank" rel="noopener"><img class="align-full" src="{{#staticFileLink}}932766924,RESIZE_710x{{/staticFileLink}}" width="421" height="153" /></a> Figure 2. image: BleepingComputer</p>
<p>The LokiBot Android Trojan was first seen in February 2016 and is considered one of the first instance where malware could infect devices and settle inside the core Android operating system processes.  LokiBot used this as an anti-detection technique to go undetected longer and carry out operations with root privileges.  The Trojan has the capability to steal various content from the device, disable notifications, intercept communications, and exfiltrate data.  </p>
<p>In December 2016, researchers discovered a new variant of LokiBot that targets Android operating systems’ core libraries.  The infection process changed to yield better results in anti-detection and avoid blacklisting by security companies.  LokiBot infects users when they install malicious apps from third-party app stores. The apps contain an exploit to elevate the malware’s privileges.  The February 2016 version targets the native Android “system_server” and the December variant modifies a native system library and loads one of the Trojan’s components.<a href="#_ftn2" name="_ftnref2" id="_ftnref2">[2]</a></p>
<p>Owned C2 is: hxxp://thammyvienanthea[.]com/vhl/Panel/five/fre.php.  A Vietnamese Asian beauty and skincare site:</p>
<p>Domain Name:       THAMMYVIENANTHEA[.]COM</p>
<p>Creation Date:       2018-04-04T09:01:24Z</p>
<p>Registrar Registration:</p>
<p>Expiration Date:     2019-04-04T09:01:24Z</p>
<p>Name:                   Le Thanh Thuy</p>
<p>Street:                  47 Duong so 1Kdc Cityland, Phuong 7</p>
<p>City:                      Ho Chi Minh</p>
<p>Postal Code:          700000</p>
<p>Country:                VN</p>
<p>Phone:                  +84.0946147373</p>
<p>Email:                   thachpham@azdigi[.]com</p>
<p><strong>Recommendations:</strong></p>
<p>Caution should be exercised when communicating with he EMSA to avoid possible infection.  The main purpose of LokiBot is to display unwanted ads and thus if infected. you can remove LokiBot by reinstalling the entire operating system.</p>
<p><strong>Indicators:</strong></p>
<table>
<tbody>
<tr>
<td width="126">
<p>Indicator</p>
</td>
<td width="54">
<p>Type</p>
</td>
<td width="90">
<p>Kill_Chain_Phase</p>
</td>
<td width="78">
<p>First_Seen</p>
</td>
<td width="78">
<p>Last_Seen</p>
</td>
<td width="133">
<p>Comments</p>
</td>
<td width="65">
<p>Attribution</p>
</td>
</tr>
<tr>
<td width="126">
<p>91.231.216.116</p>
</td>
<td width="54">
<p>IP</p>
</td>
<td width="90">
<p>Installation</p>
</td>
<td width="78">
<p>1/27/19: 15:34:26.000</p>
</td>
<td width="78">
<p>1/27/2019: 15:34:26.000</p>
</td>
<td width="133">
<p>Lokibot infect Maritime Sector, Lisbon PT</p>
</td>
<td width="65">
<p>unknown</p>
</td>
</tr>
<tr>
<td width="126">
<p>hxxp://thammyvienanthea.com/</p>
</td>
<td width="54">
<p>domain</p>
</td>
<td width="90">
<p>C2</p>
</td>
<td width="78">
<p>1/27/19: 15:34:26.000</p>
</td>
<td width="78">
<p>1/27/2019: 20:10:19.000</p>
</td>
<td width="133">
<p>Vietnam</p>
</td>
<td width="65">
<p><strong> </strong></p>
</td>
</tr>
<tr>
<td width="126">
<p>Lokibot</p>
</td>
<td width="54">
<p>malware</p>
</td>
<td width="90">
<p>Attribution</p>
</td>
<td width="78">
<p>1/27/19</p>
</td>
<td width="78">
<p>1/27/2019</p>
</td>
<td width="133">
<p>Trojan malware</p>
</td>
<td width="65">
<p>unknown</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p>For questions, comments or assistance regarding this report, please contact Wapack Labs at 844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a></p>
<p><a href="#_ftnref1" name="_ftn1" id="_ftn1">[1]</a> hxxp://www.emsa.europa.eu/</p>
<p><a href="#_ftnref1" name="_ftn1" id="_ftn1"></a><a href="#_ftnref2" name="_ftn2" id="_ftn2">[2]</a> hxxps://www.cyber.nj[.]gov/threat-profiles/android-malware-variants/lokibot</p>
</div>