{"id":16267,"date":"2019-09-09T10:40:02","date_gmt":"2019-09-09T18:40:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/09\/09\/news-10009\/"},"modified":"2019-09-09T10:40:02","modified_gmt":"2019-09-09T18:40:02","slug":"news-10009","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/09\/09\/news-10009\/","title":{"rendered":"Newly Discovered Infostealer Attack Uses LokiBot"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The FortiGuard Labs SE team identified a new malicious spam campaign on August 21<sup>st,<\/sup>, which we discovered after an analysis of information initially found on VirusTotal. It targeted a large US manufacturing company utilizing the well documented infostealer LokiBot. Interestingly enough, this also has a compilation date of August 21<sup>st<\/sup>, which is the same day we discovered the malspam campaign.<\/p>\n<h2><b>Campaign Details<\/b><\/h2>\n<p>The campaign consists of a spam email that had been sent to the sales email address of the recipients, possibly from a compromised trusted sender, originating from the IP address of [23.83.133.8].\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-infostealer-attack-uses-lokibot\/_jcr_content\/root\/responsivegrid\/image_1591068001.img.png\" alt=\"Figure 1. Variant of spam email sent to recipient\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. Variant of spam email sent to recipient<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The spam email is simple in appearance, and contains simple language that appears to be written by a non-native English speaker that states, \u201cPlease see \u2018attache\u2019\u201d, which appears to be an \u201cRFQ\u201d or a \u201crequest for quotation.\u201d The spam email then encourages the user to open the attachment as the senders\u2019 colleague is currently out of office, and at the same time offers the potential victim some assurance that he\/she can provide further clarification of the contents within the document if needed.<\/p>\n<p>However, unbeknownst to the user, the #RFQE67Y54.7z file [SHA256: 176C61B6220854995AF271F3BA82BBD7960AACC20E070A3476D8FBAC5AB0C2D8 \u2013 detected as: Malicious_Behavior.SB] is not a request for quotation, and once unzipped, it is the infamous infostealer found on various underground forums, LokiBot. [SHA256: 691c65e4fb1d19f82465df1d34ad51aaeceba14a78167262dc7b2840a6a6aa87 &#8211; detected as: W32\/Windigo.ABV]<\/p>\n<h2><b><i>Shared Space \u2013 Previous attacks and possible spam relay?<\/i><\/b><\/h2>\n<p>Digging a little further by investigating the IP address [23.83.133.8], it appears that this IP is registered to LeaseWeb USA, Inc. a webhosting provider in Phoenix, Arizona. During our investigation, we did not find any significant activity behind this IP address, and historical archives in VirusTotal and our data show that attacks originating from this IP address are new, seen most recently within the past two months.<\/p>\n<p>This particular IP address appears to have been used twice before in malicious spam attacks that occurred several months earlier, in June, attacking a large German Bakery in a malicious spam attack trying to lure a victim into downloading an electronic invoice.<\/p>\n<p>Although the German Bakery attack email was in Chinese, as was the attachment \u2013 which was an RTF file which referenced a potentially compromised URL (deepaklab[.]com), that likely contained the malicious payload \u2013 the URL has been cleaned up and no longer serves up any content that we can analyze. It can be assumed that this may be another delivery mechanism for LokiBot, as it has been documented in the past utilizing RTF distribution vectors. But again, we are unable to draw any conclusions due to the lack of information available at the time of publication. Analyzing further insight from our own telemetry, we were able to observe a rather large spike in visits, specifically on the date of June 17, which correlates with the time stamp of this suspicious campaign, as well as telemetry from German visitors.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-infostealer-attack-uses-lokibot\/_jcr_content\/root\/responsivegrid\/image_753132854.img.png\" alt=\"Figures 2 and 3: Variant of spam email sent to recipient (translated from Chinese)\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figures 2 and 3: Variant of spam email sent to recipient (translated from Chinese)<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-infostealer-attack-uses-lokibot\/_jcr_content\/root\/responsivegrid\/image_792257627.img.png\" alt=\"Figures 2 and 3: Variant of spam email sent to recipient (translated from Chinese)\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figures 2 and 3: Variant of spam email sent to recipient (translated from Chinese)<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>To connect the dots \u2013 this is interesting, because the German attack is consistent with our own telemetry \u2013 the United States, Germany, and Japan rounded off the top three countries targeted by LokiBot, with the United States at 56%, Germany with 22%, and Japan at &gt;1%, respectively. We also observed a large spike starting on June 17<sup>th<\/sup> for the German Baker attack, and again on August 21<sup>st<\/sup> for the U.S. semiconductor distributor \u2013 which is the same time we came across this newly identified campaign, further confirming our observations.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-infostealer-attack-uses-lokibot\/_jcr_content\/root\/responsivegrid\/image_936721848.img.png\" alt=\"Figure 4. Global Distribution of Palikyu.ml Based LokiBot Attacks for palikyu.ml\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. Global Distribution of Palikyu.ml Based LokiBot Attacks for Palikyu.ml<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Because of the differences in emails (both in language and attack template), and because we couldn\u2019t identify the payload being served in the June attack, we can only assume that this IP address is a newly identified spam relay that may either be used indiscriminately or in targeted attacks with LokiBot or some other unidentified malware. Because of the low volume identified, it appears that this IP address may be under the control of one group, and possibly only being used for very targeted attacks. However, we can only assume this \u2013 time will provide a better historical snapshot of campaigns using this IP address.<\/p>\n<p>Finally, one loose connection observed from this IP address through historical DNS records was that in the past the Chinese site ccltyo.com, which appears to be some clickspam website, was hosted on this [23.83.133.8] IP address back in June of 2013. Although this domain exhibits some suspicious behavior, as well as utilizing dynamic DNS similar to campaigns we\u2019ve seen in the past for various threat actors, especially in China, there is not a smoking gun from OSINT or our own telemetry that can correlate this latest campaign to a specific threat actor group.<\/p>\n<h2><b>Attack Description<\/b><\/h2>\n<p>The attack is pretty straightforward. The LokiBot sample [SHA256: 691c65e4fb1d19f82465df1d34ad51aaeceba14a78167262dc7b2840a6a6aa87] has a file size of 286 KB and was recently compiled on Aug 21, which is coincidentally the same date as when the malicious spam was sent. The file is curiously named Dora Explorer Games, which is in reference to the children\u2019s\u2019 TV heroine from the show \u201cDora The Explorer\u201d; however, we don\u2019t know if this file info was put in there as a distraction or for reasons unknown to us, as it doesn\u2019t make sense to have such a file name targeting a military and government-based contractor.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-infostealer-attack-uses-lokibot\/_jcr_content\/root\/responsivegrid\/image_1388348454.img.png\" alt=\"Figure 5. False file information\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. False file information<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Of course, the file is not a game, but is the infamous LokiBot infostealer, which is one of the most popular infostealers in recent memory due to its ease of use and effectiveness. LokiBot steals a variety of credentials \u2013 primarily FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials. LokiBot is distributed in various forms, and has been seen in the past being distributed in zipped files along with malicious macros in Microsoft Word and Excel, or leveraging the exploit CVE-2017-11882 (Office Equation Editor) via malicious RTF files, which is similar to the attack example above that targeted the German bakery (however, minus the use of a known exploit.)<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-infostealer-attack-uses-lokibot\/_jcr_content\/root\/responsivegrid\/image_742580289.img.png\" alt=\"Figure 6. List of specific software that Loki Targets\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. List of specific software that Loki targets<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As LokiBot is already well documented and covered in various blogs, including ones from <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/new-loki-variant-being-spread-via-pdf-file.html\">Fortinet<\/a>, we will only highlight the unique characteristics observed in this specific sample.<\/p>\n<p>The file creates a directory %appdata%[6 random hex chars]<br \/> \u00a0\u00a0\u00a0\u00a0It will then:<\/p>\n<p> \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 add attribute FILE_ATTRIBUTE_HIDDEN<br \/> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0add attribute FILE_ATTRIBUTE_SYSTEM<br \/> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0add attribute FILE_NOT_CONTENT_INDEXED<\/p>\n<p> \u00a0 \u00a0 copies itself to %appdata%[6 random hex chars][6 different random hex chars].exe<\/p>\n<p>\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 add attribute FILE_ATTRIBUTE_HIDDEN<br \/> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 add attribute FILE_ATTRIBUTE_SYSTEM<br \/> \u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 add attribute FILE_NOT_CONTENT_INDEXED<\/p>\n<p>create mutex: 2B1733F511B2DFE5171B9AA1 <\/p>\n<p>Once these changes are made, it then deletes itself. <\/p>\n<p>Ultimately, it will connect via POST:<br \/> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 hxxp:\/\/palikyu.ml\/alpha\/fre.php<br \/> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 104.31.95.221 (aug 22, 2019 CloudFare Inc.)<\/p>\n<h2><b>Palikyu.ml and Palikyu.tk<\/b><\/h2>\n<p>Another interesting behavior to note is that the domain contacts Palikyu.ml \u2013 specifically, hxxp:\/\/palikyu.ml\/alpha\/fre.php (104.31.95.221). The TLD for ML is Mali, and the domain is registered using the POINT ML (via partnership with Freenom) registrar, which offers free domains and free anonymous registrations. To make matters worse, attribution is difficult because the domain (and IP address) are hosted using CloudFare, which anonymizes the originating IP address. Which means we don\u2019t even know where the site is hosted, nor can we begin the attribution process to link it to previous campaigns. \u00a0Unfortunately, the attacker has stuck to effectively hiding their origins using OPSEC practices that have allowed them to remain anonymous. We tried several known techniques to expose any mistakes that would lead us to identifying the possible attacker behind this domain, to no avail. Only a law enforcement court order or insider tip could effectively provide further information. \u00a0<\/p>\n<p>Furthermore, we also observed an additional domain, palikyu.tk, which was also registered with FreeNom. A DIG on the domain revealed that either an IP address has not yet been assigned, or a record for this domain does not exist, suggesting that the attacker is reserving the palikyu.tk variant for another use currently unknown to us. It appears that FreeNom does not reveal the registration dates of domains, so additional identifying information is not available to correlate when these domains were registered. We can only surmise that these two are related as they are the only two domains in existence with the string \u201cpalkiyu\u201d in it. Another final observation noted was that this particular sample did not use any steganography as past variants were seen doing.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-infostealer-attack-uses-lokibot\/_jcr_content\/root\/responsivegrid\/image_1460393533.img.png\" alt=\"Figure 7: Whois information for Palikyu.ml\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7: Whois information for Palikyu.ml<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-infostealer-attack-uses-lokibot\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt=\"Figure 8. Palikyu.tk\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. Palikyu.tk<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-infostealer-attack-uses-lokibot\/_jcr_content\/root\/responsivegrid\/image_1794662650.img.png\" alt=\"Figure 9. FreeNom results showing the existence of Palikyu.tk\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. FreeNom results showing the existence of Palikyu.tk<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><b>Technical Details<\/b><\/h2>\n<p>#RFQE67Y54.7z (detected as: Malicious_Behavior.SB)<\/p>\n<ul>\n<li>Size: 239849 bytes<\/li>\n<li>MD5: 25e40e305dcf16f0da3b3656d9702fc7<\/li>\n<li>SHA256: 176C61B6220854995AF271F3BA82BBD7960AACC20E070A3476D8FBAC5AB0C2D8<\/li>\n<li>Date First Seen:\u00a0 2019-08-21 13:12:11<\/li>\n<li>Malicious Spam Attachment<\/li>\n<\/ul>\n<p>#RFQE67Y54.exe (detected as: W32\/Windigo.ABV)<\/p>\n<ul>\n<li>Size: 292864 bytes<\/li>\n<li>MD5: c0ea9e012f42d48a75daa80cc4c72004<\/li>\n<li>SHA256: 691c65e4fb1d19f82465df1d34ad51aaeceba14a78167262dc7b2840a6a6aa87<\/li>\n<li>Date of Compilation:2019-08-21 12:37:37<\/li>\n<li>LokiBot attached within 7z file<\/li>\n<li>Contacts Palikyu.ml (blacklisted by WF client)<\/li>\n<\/ul>\n<h2><b>ATT&amp;CK TTP Summary<\/b><\/h2>\n<h3><b><i>Initial Access<\/i><\/b><\/h3>\n<p>T1193: Spearphishing Attachment<br \/> RFQE67Y54.7z file<br \/> SHA256:176C61B6220854995AF271F3BA82BBD7960AACC20E070A3476D8FBAC5AB0C2D8<\/p>\n<h3><b><i>Execution\u00a0<\/i><\/b><\/h3>\n<p>T1204: User Execution &#8211; File is unzipped and executed by user via deception (LokiBot)<\/p>\n<h3><b><i>Defense Evasion<\/i><\/b><\/h3>\n<p>T1107: File Deletion &#8211; deletes original file after infection<br \/> T1158: Hidden Files and Directories &#8211; creates custom directory %appdata%[6 random hex chars] with the following attributes<\/p>\n<ul>\n<li>FILE_ATTRIBUTE_HIDDEN<\/li>\n<li>FILE_ATTRIBUTE_SYSTEM<\/li>\n<li>FILE_NOT_CONTENT_INDEXED<\/li>\n<\/ul>\n<p>+ moves self to %appdata%[6 random hex chars][6 different random hex chars].exe with the following attributes:<\/p>\n<ul>\n<li>FILE_ATTRIBUTE_HIDDEN<\/li>\n<li>FILE_ATTRIBUTE_SYSTEM<\/li>\n<li>FILE_NOT_CONTENT_INDEXED<\/li>\n<\/ul>\n<p>T1045: Software Packing &#8211; threat comes packed\/encrypted<\/p>\n<h3><b><i>Credentials Access<\/i><\/b><\/h3>\n<p>T1003: Credential Dumping<br \/> Windows Credential Vault<br \/> T1081: Credentials in Files<br \/> Threat tries to steal credentials from various software programs<br \/> T1214: Credentials in Registry<br \/> Threat tries to steal credentials from various software programs<\/p>\n<h3><b><i>Collection<\/i><\/b><\/h3>\n<p>T1005: Data from Local System<br \/> Threat tries to steal credentials from various software programs<\/p>\n<h3><b><i>Exfiltration<\/i><\/b><\/h3>\n<p>T1002: Data Compressed<br \/> Threat compresses stolen data before sending it over to URL<\/p>\n<h3><b><i>Command and Control<\/i><\/b><\/h3>\n<p>T1043: Commonly Used Port<br \/> Threat uses port 80 for communications (hxxp:\/\/palikyu.ml\/alpha\/fre.php)<br \/> T1071: Standard Application Layer Protocol<br \/> Threat uses standard HTTP over port 80 (hxxp:\/\/palikyu.ml\/alpha\/fre.php)<\/p>\n<h3><b><i>Known Defenses and Mitigations<\/i><\/b><\/h3>\n<p><b>Initial Access<\/b>: <a href=\"https:\/\/www.fortinet.com\/products\/email-security\/fortimail.html?utm_source=blog&amp;utm_campaign=2018-q2-fortimail-main-page\">FortiMail<\/a> or other mail solutions can be used to block specific file types. FortiMail can also be configured to send attachments to our <a href=\"https:\/\/www.fortinet.com\/products\/sandbox\/fortisandbox.html?utm_source=blog&amp;utm_campaign=2018-q2-fortisandbox-main-page\">FortiSandbox solution (ATP)<\/a>, either on premises or in the cloud, to determine if a file displays malicious behavior. <a href=\"https:\/\/www.fortinet.com\/products\/next-generation-firewall.html?utm_source=blog&amp;utm_campaign=2018-q2-fortigate-main-page\">FortiGate firewalls<\/a> with Anti-Virus enabled alongside a valid subscription will detect and block this threat if configured to do so.<\/p>\n<p><b>Execution<\/b>: <i>User Awareness Training<\/i> \u2013 Since it has been reported that this threat has been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization are made aware of various types of attacks delivered via social engineering. This can be accomplished through regularly-occurring training sessions and impromptu tests using predetermined templates by internal security departments within an organization. Simple user awareness training on how to spot emails with malicious attachments or links could stop the initial access into the network.\u00a0 If user awareness training fails and the user opens the attachment or link, <a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/forticlient.html?utm_source=blog&amp;utm_campaign=2018-q2-endpoint-web-page\">FortiClient<\/a> running with the latest up-to-date virus signatures will detect and block this file and associated files. The file(s) in this attack are currently being detected as:<\/p>\n<p><b><i>W32\/Windigo.ABV<br \/>  Malicious_Behavior.SB<\/i><\/b><\/p>\n<p><b>Exfiltration &amp; C&amp;C<\/b>: A FortiGate located at each of your ingress and egress points with its Web Filtering service enabled with up-to-date definitions, and or Botnet Security enabled will detect and block any observable outbound connections if configured correctly.<\/p>\n<p>It is important to note that as attacks continue to become more sophisticated they can sometimes circumvent your security defenses for a number of reasons. This is why it is important to ensure you also have the ability to detect anomalous activity that could be malicious.<\/p>\n<p>Lastly, our <a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/fortiguard-services-bundles.html?utm_source=blog&amp;utm_campaign=2018-q3-fortiguard-services\">Enterprise Bundle<\/a> will address this attack as well as others.\u00a0 Our Enterprise Bundle consolidates all the cyber security services you need to protect and defend against all cyberattack channels, from the endpoint to the cloud, including IoT devices, providing you with the integrated defense you need to tackle today\u2019s advanced threats and address today&#8217;s challenging risk, compliance, management, visibility, and Operational Security (OT) concerns.<\/p>\n<p>All network IOC\u2019s in this report are blacklisted by the FortiGuard Web Filtering service.\u00a0<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/jsXG7ovxyoY\/new-infostealer-attack-uses-lokibot.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/new-infostealer-attack-uses-lokibot\/_jcr_content\/root\/responsivegrid\/image_1591068001.img.png\"\/><br \/>The FortiGuard Labs SE team recently identified a new malicious spam campaign utilizing the well documented infostealer LokiBot. Learn more.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/jsXG7ovxyoY&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-16267","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16267","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16267"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16267\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16267"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}