Campaigns Delivering Marap and Loki Bot Malware Using CO and IQY Spam Files

A spam email campaign is being carried out aimed at corporate email accounts to share Loki Bot malware. Loki Bot malware is an information stealer that can obtain passwords saved on browsers, obtaining email account passwords, FTP client logins, cryptocurrency wallet passwords, and passwords used for messaging applications.

In addition to obtaining saved passwords, Loki Bot malware has can complete keylogging and download/run executable files. All data captured by the malware is sent to the hacker’s C2 server.

Kaspersky Lab security experts recorded an increase in email spam activity targeting corporate email accounts, with the campaign found to be used to share Loki Bot malware. The malware was sent hidden in a malicious email attachment.

The intercepted emails included an ICO file attachment. ICO files are duplicates of optical discs, which are usually mounted in a virtual CD/DVD drive to open. While expert software can be implemented to open these files, most modern operating systems can access the contents of the files without the need for any other software.

In this instance, the ICO file includes Loki Bot malware and double clicking on the file will lead to the installation of the malware on operating systems that support the files (Vista and later).

It is relatively unusual for ICO files to be used to send malware, although not unheard of. The unfamiliarity with ICO files for malware delivery may see end users try to open the files.

The campaign included a wide variety of lures including spoof purchase orders, speculative enquiries from businesses including product lists, fake invoices, bank transfer details, payment requests, credit notifications, and payment confirmations. Well-known businesses such as Merrill Lynch, Bank of America, and DHL were just some of the emails.