Originally posted at malwarebreakdown.com
Follow me on Twitter
I received some malspam on 03/22/18 that contained two .doc file attachments. The subject of the email was “Order 2018-048 & 049, Please Confirm”. The attached exploit documents were named similarly to the subject of the email, “PO2018-048.doc” and “PO 2018-049.doc”.
Below is an image of the email:
Both “PO2018-048.doc” and “PO 2018-049.doc” are RTF exploit documents.
An example of one of the files opened is shown below:
Opening either “PO2018-048.doc” or “PO 2018-049.doc” will cause the victim’s host to download the Loki-Bot payload from office.erlivia.ltd:
Remote IP Address: 220.127.116.11 (office.erlivia.ltd)
Remote Port: 80
Process Name: EQNEDT32.EXE
Process Path: C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\EQNEDT32.EXE
The file is downloaded to %TEMP% as RealTEKHD.exe and executed:
RealTEKHD.exe created file %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\DropboxInstaller.exe:
DropboxInstaller.exe writes to a start menu file %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\DropboxInstaller.Z9yRYh4jbeHJgNMR.lnk:
DropboxInstaller.exe created child process DropboxInstaller.exe, and the child process sends POST requests to the C2 server. The same child process also created B63C85.lck in %APPDATA%\E2FBBB\ and then later deletes the file. The .lck file, which is named after characters 13 through 18 of the Bot GUID, is a lock file (created when decrypting Windows
creds or Keylogging) and is one of the four files that can be found in this hidden folder. The other files are the .exe (copy of the malware used for persistence), .hdb (database of hashes of data that has been ex-filtrated), and a .kdb file (database of keylogger data waiting to be sent to the C2).
The DropboxInstaller.exe child process moves and renames file %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\DropboxInstaller.exe to %APPDATA%\E2FBBB\B63C85.exe.
Hidden folder created in %APPDATA%:
The folder is named after characters 8 through 13 of the Bot GUID. Furthermore, it contains a copy of the malware which has been named after characters 13 through 18 of the Bot GUID.
I ran the sample through another sandbox and the DropboxInstaller.exe child process created a key used for persistence at HKEY_CURRENT_USER. I don’t have a picture of the key to share with you but you can see an example of that at https://www.malware-traffic-analysis.net/2018/03/09/index.html.
More detailed information about the process tree and what changes are made to the file system and registry can be found in the Any.Run and Hybrid-Analysis reports that I’ve linked to in the hash section at the very bottom of this post.
The Bot GUID is created by grabbing the machine GUID from HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid and generating an MD5 hash from the string. However, only the first 24 characters of the MD5 hash (total of 32 characters) signify the Bot GUID.
Example of Bot GUID:
Machine GUID string (lowercase): 9c3873bd-d616-4eb8-96c2-6aee0ecdf3dd MD5 Hash: 6CD99ACE2FBBB63C852955B3C167AC07 Bot GUID: 6CD99ACE2FBBB63C852955B3
POST to C2:
The Loki-Bot sample has a binary ID (Bin ID) of “ckav.ru”. According to what I could find, this binary ID is associated with the Russian hacking forum “fuckav[.]ru”. We also see the victim’s account name, computer name, and Bot GUID.
Loki-Bot C2 panel:
Graphs on data coming in (reports, FTP, HTTP, Other) over the last 24 hours, OS statistics by reports, and OS statistics by Bots:
The Bots section shows the Bot GUID, Bin ID, IP address and country, PC information (computer name, account name, OS, screen resolution, number of reports collected), last time the bot was seen, and action (see commands):
Example of a report:
- Download & Run
- Download & Load
- Download & Drop
- Remove Hash DB
- Enable Keylogger
- Shutdown Bot (Only Bot, not PC)
- Update Bot
- Update reconnect intervall
- Uninstall Bot
One thing to note, there are multiple Loki-Bot panels hosted on this server:
cPanel at 18.104.22.168:
Payloads hosted at *.erlivia.ltd are even being named after the panel locations. For example, VT shows the following URLs hosted at 22.214.171.124:
- 2018-03-26: hxxp://office[.]erlivia[.]ltd/white.123
- 2018-03-20: hxxp://office[.]erlivia[.]ltd/black.123
- 2018-03-20: hxxp://office[.]erlivia[.]ltd/000.123
A full list can be seen HERE.
Subdomains that have a malicious history of their own:
|anotis.erlivia.ltd||126.96.36.199 and 188.8.131.52|
|maxi.erlivia.ltd||184.108.40.206, 220.127.116.11, and 18.104.22.168|
|microsoft.erlivia.ltd||22.214.171.124 and 126.96.36.199|
|office.erlivia.ltd||188.8.131.52 and 184.108.40.206|
|rov.erlivia.ltd||220.127.116.11, 18.104.22.168, and 22.214.171.124|
|windows.erlivia.ltd||126.96.36.199, 188.8.131.52, and 184.108.40.206|
A blog post from Proofpoint on 03/23/18 shows maxi.erlivia.ltd hosting a document file that delivered Imminent Monitor RAT: https://www.proofpoint.com/us/threat-insight/post/tax-themed-email-campaigns-steal-credentials-spread-banking-trojans-rats-ransomware
Below is the resolution history for erlivia.ltd:
|Resolution||Location||Network||ASN||First Seen||Last Seen|
VT history shows that some of these panels were once resolving to cliftonltd.ru:
File name: PO2018-048.doc
File name: PO 2018-049.doc
File name: RealTEKHD.exe
- 220.127.116.11 – office.erlivia.ltd – GET /white.123
- 18.104.22.168 – POST /white/fre.php – Loki-Bot C2
- User-Agent String: Mozilla/4.08 (Charon; Inferno)
- 22.214.171.124 – POST /black/fre.php
- 126.96.36.199 – POST /000/fre.php
- 188.8.131.52 – POST /annonymous/fre.php
- 184.108.40.206 – POST /pal/fre.php
The password is “infected”.