Site icon Sophos News

Unholy trinity of AKBuilder, LokiBot and Betabot used in new malware campaigns

In recent weeks, SophosLabs has published papers outlining threats from AKBuilder and Betabot. Now, it appears the bad guys are combining the two in new attack campaigns.

SophosLabs principal researcher Gábor Szappanos said the lab has received and analyzed a handful of AKBuilder-generated documents in the past week. The documents initially drop a file that contains two payloads: one, the popular LokiBot credential stealer; the other, something that appears to be a version of Betabot. “We thought that Betabot was pretty much dead, with no activity in the past months – up until last week,” Szappanos said.

The malware and tools in question

Before looking at the new developments, a review of the malware is in order.

The three converge

Szappanos shared his findings with Naked Security Wednesday morning. He said the malware is delivered in email messages like this:

And this:

The attachment of the messages are Rich Text Format documents generated by AKBuilder. These documents drop the additional malware components. Here’s some basic information about the documents:

First seen Dropper SHA1 Filename
20/02/2017 757dfe8e61f96d470da70235dc8c0e3dc9567339 po866377.doc
20/02/2017 eaf2f7bbc5fddd19f8414eccfc81bc1af6500311 UAE-INQUIRy.doc
23/02/2017 6aecb37db36c89829cfcbcc458383bbbd218a598 Quotation-Needed.doc
22/02/2017 79fa30f9031b6f0a6ab7d2606d76538657921a51 po866377.doc
22/02/2017 905d8f63f39a32ec3cfe26c821267c22cf32b828 Quotation required.doc
22/02/2017 c56b2ec03dcb1c58744592f73f0a6e103aa9cbed Order_Al Amani Automotech LLC.220217.doc
22/02/2017 cfd7cb2b88b26a48d6c033d5626689fc313d0cf4 United Energy Co.doc

 

The exploited documents drop two files, which are two different Trojans:

%USERHOME%\AppData\Roaming\win32.exe :LokiBot credential stealer

%USERHOME%\AppData\Local\Temp\nbot.exe :Betabot/Neurevt Trojan

Dyzap is executed automatically on startup by %STARTUP%\win32.vbs

The C&C addresses were used by LokiBot to send credentials to:

monetizechart.me

dfoxinternashipoop.top

conticontrations.com

mdelatropsopc.info

scopeclothingsltd.pro

The malware submits stolen info to a php script on the server, the name of which is fre.php by default

The login of the C&C panel looks like this:

The builder of LokiBot (at least a cracked version) looks like this:

Defensive measures

Since Betabot has most recently been used to serve up ransomware, a reminder of our tips on that front should be useful:

To protect against AKBuilder activities, simply applying recent patches for Microsoft Office should be enough to disarm the attack.

Exit mobile version