On 7-9 May 2019, Wapack Labs detected an increase in malicious emails with the spoofed sender field firstname.lastname@example.org. Hackers deliver malicious attachments under the pretense of an incoming SWIFT transfer (Figure 1).
Figure 1. Email text spoofing HHH Marine Services on 8 May 2019.
The attackers use the popular malware Lokibot. Wapack Labs detected communications of these samples to known and new Lokibot C2s: