On April 5th, our Phishing Defense Center received a flurry of emails with subject line following a pattern of Lastname, firstname. Attached to each email was a password-protected .docx Word document with an embedded OLE package. In all cases the attachments were password protected to decrease the likelihood of detection by automated analysis tools. A password was provided to the victim in the body of the email which attempts to lure the victim into opening the malicious attachment and to increase the apparent legitimacy of the message.
W-2 Fraud – Tax Season and All Year Long
It’s the time of year when Taxes are on everyone’s mind – especially Phishers!
The stress of filing. The stress of gathering all the documents. The stress of reporting. The stress of the deadline. All of that on top of everything else you have to do this time of year makes tax time phishing a favorite and highly successful annual event for phishing scams. However, once the filing is completed, it doesn’t mean the campaigns will stop. W2 and CEO fraud are timeless phishing campaigns that run all year long.
Tales from the Trenches: Loki Bot Malware
On March 15, 2017, our Phishing Defense Center observed several emails with the subject line “Request for quotation” pretending to award Shell Oil Company contracts – a very targeted subject tailored to the receiver. As with most phishing emails, there is a compelling call to action for the receiver, in this case a contract award from a well-known organization. And, an added bonus unknown to the receiver, the emails also contained a malicious attachment designed to siphon data from its targets.
Included is an example of one of these emails along with basic Triage header information.
Each email analyzed contained instructions to open an attached .ace archive file that when decompressed revealed a Windows executable containing Loki Bot Malware.
Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.
The following Loki Bot executable was identified during our analysis.
| Filename | MD5 | Size |
| shellOil.ace | 5d70858b154c8b0eb205e84ca7f27a04 | 118,473 |
| Shell Oil.exe | 6a95ae2c90a4a3c5a2c1ce3eaf399966 | 245,760 |
Upon infecting a machine, this malware performs a callback to the following command and control host reporting the new infection and submitting any private data stolen during the infection process.
| Command and Control URL | IP Address | Location |
| hxxp://elmansy.net/pdf/fre.php | 118.193.173.208 | China |
The command and control domain ‘elmansy.net’ was created almost exactly a year ago on 2016-03-18 with the email address sherif-elfmannsy@hotmail.com. The IP address reveals that the domain is being hosted out of Jiangsu, China.
Take Away
As always, PhishMe cautions our customers to be wary of emails requesting information or promising reward. Specific to this sample, we recommend that customers be observant for emails containing the subject line “Request for quotation” or emails promising business with new or unknown businesses. PhishMe Simulator customers who feel this type of offer might be successful with its employees should consider launching simulations that follow this style of attack to further train their users.
Additionally, incident responders should consider blocking the domain and IP address mentioned above, as well as searching endpoint systems for the MD5’s if internal systems support it.
The Phishing Defense Center is the hub for our remotely managed PhishMe Triage services. The fully staffed center manages all internal reported emails for a number of organizations. All information shared has been cleansed of any identifiable data.