LokiBot Malware Making The Rounds Again, Hidden In PNG Spam Attachments

lokibot malware spreading via png fileSecurity researchers have come across a new spam campaign that is pushing the LokiBot info-stealing trojan. According to them, the emails that they managed to intercept contained a malicious .zipx attachment that is trying to hitch a ride inside a portable network graphics(PNG) file in an attempt to get past email security gateways. This is done because .zipx files are well known for their use in the distribution of malware and are usually flagged as dangerous by the security gateways scanners.

The threat actors behind this new LokiBot spam campaign have used a bit of creativity to hide the .zipx archive containing the trojan, which becomes clearer upon closer inspection of the attachment (RFQ-5600005870.png). As security researchers said: "In a PNG file, IEND is supposed to mark the end of the image, and is supposed to appear last. But in this file, there is a bunch of data after IEND." It is in that data that researchers found a zip archive, containing a file named "RFQ -5600005870.exe" The .png file itself can be opened in an image viewer, and it displays a .jpg icon, perhaps another attempt at camouflage.

As it turns out, however, it does take some effort to get infected. To do that, you have to unzip the malicious file, but 7-Zip and WinZip both give errors when you attempt to open it. If you have WinRAR installed, you would have no such problems and trying to open the .png file will immediately start up WinRAR for you to commence the extraction of the malicious file. It is worth mentioning that if you change the extension to anything other than zipx or zip, 7-Zip will also be able to extract the malicious .exe.

After the .zipx archive has been extracted to a 13.5MB file named RFQ -5600005870.exe, the user must double-click it to open it, at which point it will "decrypt the main payload into the memory and execute it using a common technique called Process Hollowing, where a new process is created in a suspended state, its memory is unmapped, and the malicious code replaces it."

While this spam campaign might be limited in scope, it's another way in which your system can become corrupted by the LokiBot trojan. The info-stealing trojan has become somewhat of a commodity for cyber-crooks, as it is simple, effective, and goes for as little as $300 in underground markets, which is quite cheap when you consider the profits it can bring. And, as we can see, people are constantly thinking of all kinds of ways to bypass security features and deliver its malicious payload to your system.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.