#lokibot — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #lokibot, aggregated by home.social.
-
-
-
-
-
Campagne #Malware #Italy Week 29
☠️💣🔥👻
#AgentTesla: Ordine
#Formbook: Offerta
#GuLoader: Fattura Elettronica
#Remcos: Bank
#Lokibot: Delivery
#SmokeLoader: Pagamenti
#Irata: Malware APK
#RedLine: Offerta
#Neshta: Ordine
#Ousaban: Processo
#SnakeKeylogger: Fattura -
Campagne #Malware #Italy Week 41
🔥 Persistenti
#Ursnif: #AgenziaEntrate
#DarkGate: Resend link a ZIP
#AgentTesla: Pagamento💣 D'eccezione
#RemcosRat: Pagamento
#Lokibot: Bank
#ScreenConnect: Fattura PDF -
Today in our section on "uncoventional #Malware delivery": #ARJ archives! 📦
ARJ (Archived by Robert Jung) has been around since the MS-DOS days and is occasionally used to deliver e.g. #AgentTesla, #Formbook or #GuloaderYou can recognize ARJ archives by their Magic: 60 EA
Extraction can be handled with 7zip for example.
For more information on the file format check out Ange Albertini's excellent graphic representation: https://twitter.com/angealbertini/status/1619006171360395264As an example we dug up a #Lokibot sample from last year where the delivery chain looked like this: ARJ --> RAR --> EXE
To fool the victims into opening the next file they used the common #doubleExtension tick, e.g. .pdf.exeIoC for those playing along at home:
162.0.223[.]13
kbfvzoboss[.]bid
alphastand[.]trade
alphastand[.]win
alphastand[.]top
➡️/alien/fre.phpPO_Payment for invoice[...].eml.arj
d0c8824d1e19ca1af0b88a477fa4cad6SHIPPING_DL-PL-EXPRESS_EXPORT.PDF.exe
88bdf4f8fe035276da984c370e4cda2c