Transportation

The European Maritime Safety Agency (EMSA) in Lisbon Portugal, may be infected with the Lokibot trojan malware and connecting directly to an owned C2 domain in Ho Chi Minh City Vietnam.  Caution should be exercised in any cyber interactions with the EMSA IP: 91.231.216.116.

Details:

During routine collection and analysis for maritime sector threats and vulnerabilities, Wapack Labs Cyber Threat Analysis Center (CTAC) produced 5 hits on 27 January 2019.  Analysis indicated that the European Maritime Safety Agency (EMSA) is likely infected with the Lokibot malware, which is calling back to the C2 located in Ho Chi Minh City, Vietnam.  The EMSA is a European Union (EU) agency charged with reducing the risk of maritime accidents, marine pollution from ships and the loss of human lives at sea by helping to enforce the pertinent EU legislation. It is headquartered in Lisbon, Portugal (PT).[1]


European Maritime Safety Agency

Agency executive: Markku Mylly, Director

Jurisdiction: European Union

Founded: August 25, 2002

Address: Praça Europa 4, Cais do Sodré, 1249-206 LISBON, Portugal

Tel: +351 21 1209 281

Domain: hxxp://www.emsa.europa[.]eu/

Figure 1. EMSA Lisbon Portugal

 Figure 2. image: BleepingComputer

The LokiBot Android Trojan was first seen in February 2016 and is considered one of the first instance where malware could infect devices and settle inside the core Android operating system processes.  LokiBot used this as an anti-detection technique to go undetected longer and carry out operations with root privileges.  The Trojan has the capability to steal various content from the device, disable notifications, intercept communications, and exfiltrate data.  

In December 2016, researchers discovered a new variant of LokiBot that targets Android operating systems’ core libraries.  The infection process changed to yield better results in anti-detection and avoid blacklisting by security companies.  LokiBot infects users when they install malicious apps from third-party app stores. The apps contain an exploit to elevate the malware’s privileges.  The February 2016 version targets the native Android “system_server” and the December variant modifies a native system library and loads one of the Trojan’s components.[2]

Owned C2 is: hxxp://thammyvienanthea[.]com/vhl/Panel/five/fre.php.  A Vietnamese Asian beauty and skincare site:

Domain Name:       THAMMYVIENANTHEA[.]COM

Creation Date:       2018-04-04T09:01:24Z

Registrar Registration:

Expiration Date:     2019-04-04T09:01:24Z

Name:                   Le Thanh Thuy

Street:                  47 Duong so 1Kdc Cityland, Phuong 7

City:                      Ho Chi Minh

Postal Code:          700000

Country:                VN

Phone:                  +84.0946147373

Email:                   thachpham@azdigi[.]com

Recommendations:

Caution should be exercised when communicating with he EMSA to avoid possible infection.  The main purpose of LokiBot is to display unwanted ads and thus if infected. you can remove LokiBot by reinstalling the entire operating system.

Indicators:

Indicator

Type

Kill_Chain_Phase

First_Seen

Last_Seen

Comments

Attribution

91.231.216.116

IP

Installation

1/27/19: 15:34:26.000

1/27/2019: 15:34:26.000

Lokibot infect Maritime Sector, Lisbon PT

unknown

hxxp://thammyvienanthea.com/

domain

C2

1/27/19: 15:34:26.000

1/27/2019: 20:10:19.000

Vietnam

 

Lokibot

malware

Attribution

1/27/19

1/27/2019

Trojan malware

unknown

 

For questions, comments or assistance regarding this report, please contact Wapack Labs at 844-492-7225, or feedback@wapacklabs.com

[1] hxxp://www.emsa.europa.eu/

[2] hxxps://www.cyber.nj[.]gov/threat-profiles/android-malware-variants/lokibot