Phishing campaign packs an info-stealer, ransomware punch

A new phishing campaign is distributing a double-punch of a LokiBot information-stealing malware along with a second payload in the form of the Jigsaw Ransomware.

By using this combo, the attackers first steal saved user credentials stored in a variety of applications and then deploy the Jigsaw Ransomware to try and get a small ransom to sweeten the attack.

LokiBot: Malware

LokiBot is Trojan-type malware designed to infiltrate systems and collect information. It steals sensitive information from victims including usernames, passwords, bank details and the contents of cryptocurrency wallets via the use of a keylogger. It is distributed via spam emails, various private messages, and malicious websites.

Weaponized Excel spreadsheets

This campaign is using Excel attachments with names such as Swift.xlsx, orders.xlsx, Invoice for Payment.xlsx, Inquiry.xlsx. Unlike many phishing attachments, the actors appear to be utilizing carefully crafted spreadsheets that have been weaponized to seem believable:

 

These attachments have been weaponized using LCG Kit so that they exploit an old Microsoft Office CVE-2017-11882 remote code execution vulnerability in Equation Editor.

 

If successfully exploited, malware will be downloaded from a remote site and executed.

 

While this malware has since been removed from the site, cjjjjjjjjjjjjjjjjjjj.exe file is LokiBot.

LokiBot has the ability to steal saved login credentials from a variety of browsers, FTP, mail, and terminal programs and then sends it back to the command and control server to be collected by the attacker.

Additional ransomware payload

In addition, this LokiBot a variant has been configured to download and install a Jigsaw Ransomware variant that uses a Salvadore Dali mask from the popular Money Heist show as its background.

 

This Jigsaw Ransomware variant will encrypt a victim's files and append .zemblax extension to encrypted file's names. The Jigsaw Ransomware will delete files every hour and each time the infection starts until you pay the ransom.

Good news is that encrypted files can easily be decrypted. To decrypt the files, the first thing is terminating the firefox.exe and drpbx.exe processes in Task Manager to prevent any further files from being deleted. Then run MSConfig and disable the startup entry called firefox.exe that points to the   %UserProfile%\AppData\Roaming\Frfx\firefox.exe executable.

Recommendations:

It is recommended to follow the below best practices:

  • If infected, terminate the drpbx.exe process using Task Manager so that the Jigsaw Ransomware will be shut down and not delete your files.
  • Open email attachment with extreme care. Never open attachment with "pif", "exe", "bat", ".vbs" extension.
  • Avoid conducting online banking or financial enquiries/transactions from public or unsecured terminals.
  • Do not open other Internet browser sessions and access other websites while you are performing online financial transactions/enquiry through the Internet.
  • Make sure you are using the latest security patches and anti-malware software with an updated definition file. It can reduce the chance of being affected by fraudulent emails or websites riding on software vulnerabilities.