The European Maritime Safety Agency (EMSA) in Lisbon Portugal, may be infected with the Lokibot trojan malware and connecting directly to an owned C2 domain in Ho Chi Minh City Vietnam. Caution should be exercised in any cyber interactions with the EMSA IP: 91.231.216.116.
Details:
During routine collection and analysis for maritime sector threats and vulnerabilities, Wapack Labs Cyber Threat Analysis Center (CTAC) produced 5 hits on 27 January 2019. Analysis indicated that the European Maritime Safety Agency (EMSA) is likely infected with the Lokibot malware, which is calling back to the C2 located in Ho Chi Minh City, Vietnam. The EMSA is a European Union (EU) agency charged with reducing the risk of maritime accidents, marine pollution from ships and the loss of human lives at sea by helping to enforce the pertinent EU legislation. It is headquartered in Lisbon, Portugal (PT).[1]
European Maritime Safety Agency
Agency executive: Markku Mylly, Director
Jurisdiction: European Union
Founded: August 25, 2002
Address: Praça Europa 4, Cais do Sodré, 1249-206 LISBON, Portugal
Tel: +351 21 1209 281
Domain: hxxp://www.emsa.europa[.]eu/
Figure 1. EMSA Lisbon Portugal
Figure 2. image: BleepingComputer
The LokiBot Android Trojan was first seen in February 2016 and is considered one of the first instance where malware could infect devices and settle inside the core Android operating system processes. LokiBot used this as an anti-detection technique to go undetected longer and carry out operations with root privileges. The Trojan has the capability to steal various content from the device, disable notifications, intercept communications, and exfiltrate data.
In December 2016, researchers discovered a new variant of LokiBot that targets Android operating systems’ core libraries. The infection process changed to yield better results in anti-detection and avoid blacklisting by security companies. LokiBot infects users when they install malicious apps from third-party app stores. The apps contain an exploit to elevate the malware’s privileges. The February 2016 version targets the native Android “system_server” and the December variant modifies a native system library and loads one of the Trojan’s components.[2]
Owned C2 is: hxxp://thammyvienanthea[.]com/vhl/Panel/five/fre.php. A Vietnamese Asian beauty and skincare site:
Domain Name: THAMMYVIENANTHEA[.]COM
Creation Date: 2018-04-04T09:01:24Z
Registrar Registration:
Expiration Date: 2019-04-04T09:01:24Z
Name: Le Thanh Thuy
Street: 47 Duong so 1Kdc Cityland, Phuong 7
City: Ho Chi Minh
Postal Code: 700000
Country: VN
Phone: +84.0946147373
Email: thachpham@azdigi[.]com
Recommendations:
Caution should be exercised when communicating with he EMSA to avoid possible infection. The main purpose of LokiBot is to display unwanted ads and thus if infected. you can remove LokiBot by reinstalling the entire operating system.
Indicators:
|
Indicator |
Type |
Kill_Chain_Phase |
First_Seen |
Last_Seen |
Comments |
Attribution |
|
91.231.216.116 |
IP |
Installation |
1/27/19: 15:34:26.000 |
1/27/2019: 15:34:26.000 |
Lokibot infect Maritime Sector, Lisbon PT |
unknown |
|
hxxp://thammyvienanthea.com/ |
domain |
C2 |
1/27/19: 15:34:26.000 |
1/27/2019: 20:10:19.000 |
Vietnam |
|
|
Lokibot |
malware |
Attribution |
1/27/19 |
1/27/2019 |
Trojan malware |
unknown |
For questions, comments or assistance regarding this report, please contact Wapack Labs at 844-492-7225, or feedback@wapacklabs.com
[1] hxxp://www.emsa.europa.eu/
[2] hxxps://www.cyber.nj[.]gov/threat-profiles/android-malware-variants/lokibot
Comments