Disclaimer: Opinions expressed are solely my own. None of the ideas expressed in this blog post are shared, supported, or endorsed in any manner by my employer.

In this blog, we take a look at Lokibot campaign. 

The email 

MD5: a42ef269e70416810810d0fa01fe02ee
SHA256: 8f8bc761f92ff8f3c442699c8b41358e5716339482264f1ef7d09eb57f68b9f0

VT: https://www.virustotal.com/gui/file/8f8bc761f92ff8f3c442699c8b41358e5716339482264f1ef7d09eb57f68b9f0

The campaign begins with a email. 


The Email Sample


The email has a different email-id in From and Reply-to header. It contains an attachment named "Payment Copy.docx" . It appears to be sent from 45.143.7.113


Geolocation information of IP

The Attachment

MD5: 1ba139d79438fc4406ab8b8fd93f6a30
SHA256: 94fa80c133c152abe46e0f6f20c06b1f27c225f2723915596af2ad8499fa4ff0

The attachment is a docx file which can be treated as a zip file. 

After unzipping, we check the file word/_rels/webSettings.xml.rels where we see the remote url

Content of word/_rels/webSettings.xml.rels

The url: hxxps://itop[.]so/DpWhg downloads a rtf file. 

Ref: https://www.virustotal.com/gui/url/05a382cf2cf7034327f962639d4568a0e32686213cc81b5b00c29680f229aaa0/

The RTF File

MD5: e863c296b56a2186b662b7cce8e4aaa5
SHA256: db46ba6c7bccd43b5a5ecb729ef23dfa58fbcd8ee7720a15696f33ace895522f 

The file downloaded is named as invoice.doc which is a RTF file. 

Using rtfdump.py, we see the following streams: 

Output of the RTFDump tool

Dumping the first stream and looking it using hex editor, we came across the CLSID of equation editor: 

Highlighted CLSID of Equation Editor

Also, we see an OLE10 native stream in it which typically contains a shellcode. 

Shellcode

After dumping the OLE10 native stream, we use scdbg to find the shellcode: 

Output from shellcode emulation


The shellcode downloads a file from the url: hxxp://103[.]207[.]39[.]127/http/csrss[.]exe to the path: C:\Users\Public\vbc.exe and executes it. 

The url downloads a .NET file. Ref: https://www.virustotal.com/gui/url/3196722e5834a7384895967a3518ad5d1a6830d85586ba6a6508f59c949b4b47

The .NET loader

MD5: 80ca5fbabeb4b62af4beb588c3b2f9e1
SHA256: 79ece3edc65e0f2110c5f126bd0ea4e3cd8ca1ca4a3c8f747580b2fd010105ad

The .NET file contains fake information such as:

Fake information

The file has a high entropy: 7.795.  In the resource section of .Net , we see a png image named  EncoderFallb with an entropy of 7.99663 and a file named Converter with an entropy of 7.84998: 
 
EncoderFallb resource


The file initially deobfuscates and loads the Converter resource in the memory which is a dll file named ArgIteratorZAA : 


Loading Routine

First DLL loaded in memory

MD5: 79c5c39e29ebe233cd13a50987e64609
SHA256:dec15271d422cf3b82c0a94cf147312bb5a4a4f262da4b698ffe7e6bdaf18053

The class ArgIterator is invoked with 3 parameters: "456E636F64657246616C6C62" (EncoderFallb) , "4762623247675155" (Gbb2GgQU) , "MusicGenerator" .  In the below figure, we see the function accepting these 3 arguments: 


Starting point of loaded file


It first sleeps for 41263 milliseconds. Then it extracts another dll file (TweenEngineAPI.dll )  from the EncoderFallb resource of the initial .NET file, deobfuscates and loads in it the memory. 

Extraction of EncoderFallb resource

Second DLL loaded in memory

MD5: 31a462b762d57132485a38cc29c33a6c
SHA256: 52aeeb77b743fc532b8d00d2fe039f0c33e01555dc0ed7a89c1e6e4141016218

TweenEngineAPI.dll file contains a lot of classes which are not used. It contains 2 resources: 
  • hElOI3eyMgU3Ua5HeM.yiCiaCyuKn7k930nYn
  • JLCOcB0OitZkA6cLMR.7lqMfmnIZVJv8pPoJh 

List of resources and classes (cut for brevity)

This dll starts its execution from the class: u5deZApOUp1We7GkZP where it performs the following actions: 
  • It first extracts its own resources: hElOI3eyMgU3Ua5HeM.yiCiaCyuKn7k930nYn and JLCOcB0OitZkA6cLMR.7lqMfmnIZVJv8pPoJh which is deobfuscated and loaded in the memory.
  • The file loaded in the memory is a dll file named: a9551989-c0ed-4d71-8e51-a6bc3e7a51a4.dll 

Third DLL loaded in memory

MD5: 741d92a5d66a22ac24ead7beefd8752e
SHA256: 5d83b0bc6bf2ededa11662b5c43e64cdbfbf01c33733ab3c1546978276f2d782

This dll doesn't contain any code. It contains 3 resources. Out of these 3 resources, XK83TbKgcF‎ is the resource which is extracted by the TweenEngineAPI.dll, previously loaded DLL file. 

List of resources


TweenEngineAPI.dll (second in-memory loaded) file does the following after extracting the resource (XK83TbKgcF) from a9551989-c0ed-4d71-8e51-a6bc3e7a51a4.dll : 
  • The extracted resource is deobfuscated which is the lokibot stealer sample. 
  • It dynamically resolves the following APIs:
    • "ResumeThread"
    • "Wow64SetThreadContext"
    • "SetThreadContext"
    • "Wow64GetThreadContext"
    • "GetThreadContext"
    • "VirtualAllocEx"
    • "WriteProcessMemory"
    • "ReadProcessMemory"
    • "ZwUnmapViewOfSection"
    • "CreateProcessA"
  • The above APIs are typically used for process hollowing.  In this case, it spawns a new process of itself and uses process hollowing to write the extracted lokibot sample into it. 

The Lokibot Sample

MD5: 28a1ba29828935a65c660d30e64c0c5f
SHA256: 06d16c53db8da86d86cc9b91ba511fd5a04f7e40f41b1bfcaaa1929e201157b9 
ssdeep:"1536:czvQSZpGS4/31A6mQgL2eYCGDwRcMkVQd8YhY0/EqfIzmd:nSHIG6mQwGmfOQd8YhY0/EqUG"

The lokibot sample performs the following actions described in https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws 

Currently, C2 server (sempersim.su)  is down. The url contacted is: hxxp://sempersim[.]su/gh5/fre.php

Network connection


Once the lokibot is executed, the .net loader file deletes itself from the disk. 

Extra:

In this analysis, Dnspy's modules and module breakpoint was used to dump the in-memory loaded file. Refer this video for more advance reversing tricks in Dnspy: https://www.youtube.com/watch?v=yxw4h82mQ2s

You can also use the tool DotDumper unveiled at Blackhat this year. The tool is available at https://github.com/advanced-threat-research/DotDumper. You can read more here: https://www.trellix.com/en-hk/about/newsroom/stories/threat-labs/dotdumper-automatically-unpacking-dotnet-based-malware.html 

By using DotDumper tool, you can automatically dump all the 3 dll files and read the logs to check the call trace and perform further analysis. However, the final Lokibot sample is not dumped since it is not loaded in the memory but instead written into another process in this case. 


Thanks for Reading. Have a Good Day!