SWIFT-Themed Malware Trending: Lokibot Domination

Summary

Hackers are using “SWIFT monetary transfer” themed files to lure users into opening them.  These files have been identified malicious.  Wapack Labs studied a sample group of SWIFT-themed malicious files during a 30 days period in February-March 2019.  Nearly half are classified as Lokibot, and 12 percent were detected exploiting CVE-2017-11882 "Microsoft Office Memory Corruption Vulnerability."  Most of the samples were submitted from either Ukraine, the Czech Republic or the US.  In several cases, the malware samples were attached to emails that also used social engineering referencing HSBC bank transfers.

Details

Figure 1. MS Office file “mt103_swift_payment_copy” prompts users to enable malicious macros [1]

A SWIFT-themed sample

Wapack Labs analyzed malicious samples uploaded to Virus Total (VT) during 21 February 2019 – 22 March 2019, that had either “SWIFT Transfer” or “SWIFT payment” string in the filename.[2] A total of 33 submitted files were discovered, 13 for “SWIFT Transfer” and 20 for “SWIFT payment.”  In several cases, the malware samples were tracked back to malicious emails that were spoofed to look like from HSBC bank (Figure 2).

Figure 2. Malicious .ace Lokibot attachments in March 2019 email spoofing HSBC bank

The most common file names were “Swift Payment Copy” and “Swift Transfer Copy103_PDF.ace”.  The string “SWIFT Transfer (103)” is present in 24 percent of the studied malicious file names (See Appendix A).

Detection Trends

Among the specimens, 48% had detections for Lokibot (Loki) malware.  It is possible the real share of Lokibot campaigns may be even larger: some files had low generic detection, and some samples could be a previous stage malware involved in a Lokibot campaign (Table 1).

Table 1. Malware detection among SWIFT-themed samples

Malware Detection

Frequency

Lokibot

48 %

Exploit.CVE-2017-11882

12 %

Fuerboos

6 %

Pony

6 %

BAT/Donoff/Razy

3 %

Exploit.CVE-2018-0802

3 %

Fareit

3 %

Heye

3 %

Nanobot

3 %

Neshta

3 %

PWS:Win32/Primarypass

3 %

RTF/Downloader

3 %

Trojan[Downloader]/MSOffice.Agent

3 %

Samples detected by antiviruses, such as Exploit.CVE-2017-11882 (“Microsoft Office Memory Corruption Vulnerability”), were logged as second place.  Other detections were in single digits, including other known malware such as Pony, Neshta, Heye, and others (Table 1).

Table 2. Malware extensions among SWIFT-themed samples

Extension

Frequency

Win32 EXE

36 %

Rich Text Format

18 %

ACE

15 %

ISO image

6 %

Outlook

6 %

RAR

6 %

ZIP

6 %

MS Excel Spreadsheet

3 %

Office Open XML Spreadsheet

3 %

Win32 EXE (36%), Rich Text Format (18%), and ACE (15%) were the top three extensions (Table 2). Lokibot samples accounted for the majority of .exe, .ace, and compressed malicious files.

Several malicious domains and IPs were detected that were used as C2s for these samples and some were used to download next stage malware.  Wapack Labs have already sinkholed two domains detected for Lokibot samples, alphastand.win and kbfvzoboss.bid (see the Indicators Table below).

Among the .rtf and .xlsx attachments, CVE-2017-11882 was the most common. Table 3 shows the observed CVEs.

Table 3. Exploits in SWIFT-themed .rtf and .xlsx samples

Vulnerability

Frequency

CVE-2017-11882

83 %

CVE-2012-0158

50 %

CVE-2017-0199

33 %

CVE-2010-3333

17 %

CVE-2017-1182

17 %

CVE-2017-8570

17 %

CVE-2018-0798

17 %

CVE-2018-0802

17 %

Top three observed vulnerabilities were CVE-2017-11882 "Microsoft Office Memory Corruption Vulnerability" at 83 percent.  CVE-2012-0158 “MSCOMCTL.OCX RCE Vulnerability” with 50 percent, and CVE-2017-0199       "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API" at 33 percent.  In one case, newer vulnerabilities were observed: CVE-2018-0798 and CVE-2018-0802 (Table 3).

Submission Geolocation

Fifteen (15) percent of the samples were submitted from the US.  Different European countries were the most common target with Ukraine (21%), Czech Republic (18%), and France (12%) being in the top 5 (Table 4).

Table 4. Countries of submission of SWIFT-themed malware

Country

Frequency

UA

21%

CZ

18%

US

15%

ZZ (unknown)

15%

FR

12%

DE, GB, KR, NG, RU

6% each

CH, ES, HR, HU, IN, IT, JP, SG

3% each

Conclusion

SWIFT inter-banking payment system remains one of the more popular social engineering themes among malicious emails. Fortunately, user education can go a long way in mitigating these attacks as all require user-interaction for malware installation to be successful. Lokibot is likewise a popular infostealer malware and accounts for a large amount of Wapack Labs sinkhole traffic.

 

Indicators

Indicator

Type

Kill_Chain_Phase

First_Seen

Last_Seen

Comments

Attribution

http://kamagra4uk[.]com/gon/okim/oookkkk.exe

URL

Delivery

03/19/2019

03/19/2019

SWIFT Transfer (103) FT19063QCWFG.doc

 

kamagra4uk.com

Domain

C2

02/14/2019

03/24/2019

Known malicious source

 

hxxp://23.249.163[.]126/link/E0.exe

URL

Delivery

03/15/2019

03/15/2019

Downloader for SWIFT-themed malware

 

23.249.163.126

IP

C2

09/10/2015

03/21/2019

Downloader for SWIFT-themed malware

 

http://simeonolo[.]tk/raphael/fre.php

URL

C2

03/03/2019

03/03/2019

 

Lokibot

simeonolo.tk

Domain

C2

02/25/2019

03/24/2019

SWIFT TRANSFER (103) 001FTLC183520369.exe

Lokibot

198.23.191.102

IP

Delivery

02/21/2019

03/27/2019

Source for CoinStealer and other malware

 

hxxp://198.23.191[.]102/xml/luc.exe

URL

Delivery

02/21/2019

02/21/2019

SWIFT Transfer (103) REF 076907062017.doc

 

http://ophtyeifns[.]cf/raphael/fre.php

URL

C2

03/21/2019

03/21/2019

copy of swift payment 18032019.exe

Lokibot

http://oppws[.]cn/broker/five/fre.php

URL

C2

03/22/2019

03/22/2019

 

Lokibot

oppws.cn

Domain

C2

02/21/2019

03/27/2019

 

Lokibot

http://kbfvzoboss[.]bid/alien/fre.php

URL

C2

07/06/2017

03/23/2019

Lokibot C2 sinkholed by Wapack Labs

Lokibot

kbfvzoboss.bid

Domain

C2

03/21/2017

03/27/2019

Lokibot C2 sinkholed by Wapack Labs

Lokibot

http://shirkeswitch[.]net/cbn/okc/shri%20kc.exe

URL

Delivery

03/06/2019

03/06/2019

mt103_swift_payment_copy.xlsx

Lokibot

shirkeswitch.net

Domain

Delivery

02/28/2019

03/25/2019

 

Trojan.Tasker

http://alphastand[.]win/alien/fre.php

URL

C2

11/21/2017

03/14/2019

Lokibot C2 sinkholed by Wapack Labs

Lokibot

http://alphastand[.]top/alien/fre.php

URL

C2

03/14/2019

03/21/2019

Swift Payment 2018-pdf.exe

Lokibot

alphastand.top

Domain

C2

10/23/2018

03/23/2019

 

Lokibot

http://alphastand[.]trade/alien/fre.php

URL

C2

03/21/2019

03/21/2019

Swift Payment 2018-pdf.exe

Lokibot

alphastand.trade

Domain

C2

02/28/2019

03/27/2019

 

Lokibot

765a1c515f085fa49ec7cced37fc8a42

MD5

Exploitation

03/19/2019

03/19/2019

SWIFT-themed malware

Lokibot

4364db8b13c277e5a02a0e6f6ad21650

MD5

Exploitation

03/08/2019

03/08/2019

SWIFT-themed malware

Exploit.CVE-2017-11882

aad733295bee1604883c31dfaf8d65d5

MD5

Exploitation

03/08/2019

03/08/2019

SWIFT-themed malware

Lokibot

bd1a572407c04e1ede2daee667bde7ed

MD5

Exploitation

03/07/2019

03/07/2019

SWIFT-themed malware

Lokibot

6969c449428da00cbcc0590f7faa5a6f

MD5

Exploitation

03/05/2019

03/05/2019

SWIFT-themed malware

Exploit.CVE-2017-11882

5f0fef9219bea459e8a208ae0dd50a47

MD5

Exploitation

02/27/2019

02/27/2019

SWIFT-themed malware

Heye

bdc79f5e382c2f1a66aa7e0b54ff8977

MD5

Exploitation

02/26/2019

02/26/2019

SWIFT-themed malware

Lokibot

b33af2043786b54831d73d7dbf9826fd

MD5

Exploitation

02/25/2019

02/25/2019

SWIFT-themed malware

PWS:Win32/Primarypass

1b9296800f7ba024266fc9a986a2957e

MD5

Exploitation

02/25/2019

02/25/2019

SWIFT-themed malware

Trojan[Downloader]/MSOffice.Agent

00be6d57beddee4d6c5caad825085f9c

MD5

Exploitation

02/25/2019

02/25/2019

SWIFT-themed malware

Lokibot

8fdaf7751d5570699dad8548945f381c

MD5

Exploitation

02/25/2019

02/25/2019

SWIFT-themed malware

Lokibot

cd6661b14d959f09bd1513acf96f314a

MD5

Exploitation

02/23/2019

02/23/2019

SWIFT-themed malware

Fareit

be667d77aa73e1081c7ed23b083115ec

MD5

Exploitation

02/21/2019

02/21/2019

SWIFT-themed malware

RTF/Downloader

f49a534fbbb1f197b6b78eed7732fc25

MD5

Exploitation

03/22/2019

03/22/2019

SWIFT-themed malware

Lokibot

1cbecea4f738ab2b7b3727e0a73421be

MD5

Exploitation

03/21/2019

03/21/2019

SWIFT-themed malware

Pony

3ad76747bfc9a1bde902fde2bc67aff6

MD5

Exploitation

03/21/2019

03/21/2019

SWIFT-themed malware

Pony

312179934596ef63942d0e0fd004317d

MD5

Exploitation

03/21/2019

03/21/2019

SWIFT-themed malware

Lokibot

075ffadd5f3b5ebc09e8754fc5655c1e

MD5

Exploitation

03/21/2019

03/21/2019

SWIFT-themed malware

Lokibot

4ab00512245631b8b72ae8c6c0ede7a5

MD5

Exploitation

03/20/2019

03/20/2019

SWIFT-themed malware

Nanobot

096a65eacac3180a4bd35a9dbf8a119f

MD5

Exploitation

03/19/2019

03/19/2019

SWIFT-themed malware

BAT/Donoff/Razy

8dfe2253473211d94478063ec5ae4318

MD5

Exploitation

03/19/2019

03/19/2019

SWIFT-themed malware

Fuerboos

d33b98453d4cdb9d558b937ac7098bec

MD5

Exploitation

03/18/2019

03/18/2019

SWIFT-themed malware

Exploit.CVE-2017-11882

fb1e0e3d3a4301c0286fcd0c6b23d566

MD5

Exploitation

03/12/2019

03/12/2019

SWIFT-themed malware

Lokibot

35325353f2120196612f59743ebc6a42

MD5

Exploitation

03/11/2019

03/11/2019

SWIFT-themed malware

Lokibot

590caf9ac91d00be9cb4935ace2e228d

MD5

Exploitation

03/11/2019

03/11/2019

SWIFT-themed malware

Lokibot

df10d53360c6476bd5bf768584814161

MD5

Exploitation

03/11/2019

03/11/2019

SWIFT-themed malware

Lokibot

4da7e2ae11547e9e0ce4e8b56b75b831

MD5

Exploitation

03/11/2019

03/11/2019

SWIFT-themed malware

Lokibot

ac1e78785003244871a7fe0d08cf45f4

MD5

Exploitation

03/08/2019

03/08/2019

SWIFT-themed malware

Lokibot

797f73a9caf1794f767f13e2dccc7178

MD5

Exploitation

03/07/2019

03/07/2019

SWIFT-themed malware

Exploit.CVE-2018-0802

720e68135c6186d147cf92e7e445de8f

MD5

Exploitation

03/06/2019

03/06/2019

SWIFT-themed malware

Neshta

52bd6f94f7f4eba350d2530b487800cd

MD5

Exploitation

03/06/2019

03/06/2019

SWIFT-themed malware

Exploit.CVE-2017-11882

fd76164f55c9862a2f63d2161a5ecb92

MD5

Exploitation

02/25/2019

02/25/2019

SWIFT-themed malware

Fuerboos

44d8f0672222de5abd740b12341a86aa

MD5

Exploitation

02/21/2019

02/21/2019

SWIFT-themed malware

Lokibot

 

Prepared by:Yury Polozov
Reviewed by: B. Schenkelberg
Approved by: C. Hall/J. McKee

 

For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or feedback@wapacklabs.com.

 

Appendix A. SWIFT-themed malware file names

copy of swift payment 18032019.exe

copy of swift payment 18032019.iso

FW_ Swift Payment Copy - Incorrect Bank Details provided.msg

mt103_swift_payment_copy.xlsx

PAYMENT SWIFT.exe

Swift Payment 2018-pdf.exe

SWIFT PAYMENT CONFIRMATION ELECTRONIC DOC0000output35C6C0.rar

Swift Payment Copy-pdf.exe

Swift Payment Copy.ace

Swift Payment Copy.doc

SWIFT PAYMENT COPY.exe

Swift Payment Copy.exe

SWIFT PAYMENT COPY.pdf.7z

Swift Payment Slip.exe

Swift Payment ZIP.arj

Swift Payment-7382992.scr

SWIFT PAYMENT.doc

SWIFT TRANSFER (/SWIFT TRANSFER (103) 001FTLC183520369.exe

SWIFT TRANSFER (103) 001FTLC183520369.iso

SWIFT TRANSFER (103) 001FTLC183520369.msg

SWIFT Transfer (103) 001FTLC183520369.xls

SWIFT Transfer (103) FT19063QCWFG.doc

SWIFT Transfer (103) FT19063QCWFG.doc

SWIFT Transfer (103) REF 076907062017.doc

SWIFT TRANSFER (103)\r 001FTLC183520369.iso

Swift Transfer Copy10.pdf.ace

Swift Transfer Copy103_PDF.ace

Swift Transfer Copy103_PDF.ace

Swift Transfer Copy103_PDF.ace

Swift Transfer Payment Slip.exe

Swift transfer.exe-2019-02-27.20-04-01.txt

swift_payment_copy.doc

Swift_Payment.exe

Swift_Payment.zip

 

 

[1] hybrid-analysis.com/sample/cdcd4b6963f006947de99bf95e224de8ac7ae7d3a36a3f8575fc70fc7c93ff07

[2] The Society for Worldwide Interbank Financial Telecommunication (SWIFT) provides a network that enables financial institutions worldwide to send and receive information about financial transactions in a secure, standardized and reliable environment.

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!