A brand new marketing campaign noticed utilizing COVID-19/Coronavirus-themed e-mail seems to be coming from the World Health Organization (WHO) delivers the notorious Lokibot malware.
The emails embrace a compressed file and the compression used is ARJ, which is used for creating high-efficiency compressed file archives.
The compressed file is with the extension “Doc.zip.arj“, when decompressing in 7-zip the payload file “DOC.pdf.exe“, a way to trick the customers hoping it isn’t an executable one.
The marketing campaign was observed by Fortinet, as soon as the executable (“COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.pdf.exe”) is opened the sufferer machine will get contaminated with the Lokibot malware.
Lokibot malware was first noticed within the 12 months 2015, it’s designed to steal data from the contaminated machine.
It collects data and credentials from a number of purposes, similar to Mozilla Firefox, Google Chrome, Thunderbird, FTP, and SFTP purposes.
The malware was additionally offered in underground hacking boards, it was initially marketed as an data stealer and keylogger, later it continues to boost its capabilities.
Recently it was distributed utilizing a robust code injection approach to evade the detection, anti-analysis approach and disable the safety instruments that run within the goal victims’ laptop.
According to Fortiguard telemetry, the marketing campaign discovered to be energetic since March 27 and it assaults the next international locations.
“The Top 10 sites targeted by this campaign: Turkey (29%), Portugal (19%), Germany (12%), Austria (10%), and the United States (10%) top the list, with Belgium, Puerto Rico, Italy, Canada, and Spain rounding out the top 10 with less than one percent each.”
In a current assault marketing campaign, Lokibot trojan malware impersonates as a preferred recreation launcher to trick customers into executing malware on their machines.