When it comes to Macro Malware, several people try to finish it off with two workarounds, Disable Macro (GPO) and user awareness. That said what if a malicious document doesn’t use Macro codes to do its malicious tasks? What if a document is exploiting a vulnerability to do its malicious activities? That said, Let me invite you to a very new spam mail campaign happened or happening around the Globe, mostly GCC countries, as of this writing, which doesn’t use any Macro codes.
This write up will be a journey from the initial spam mail which the user received in his/her inbox, confirming the campaign (we will cover one variant in this write-up, even though several are out there) as the infamous “LOKI BOT Spyware” and finding clues about offenders who compromised the C&C website . Then At last we will find another spyware “Venom Logger” within the same C&C of LOKI BOT and some crucial details.
Of course, while analyzing each area of this campaign, there were numerous variables taken into account. The threat actors can be responsible for only compromising the C&C website and the actual actors of the campaign might be different. At the same time, may be the same Threat actors are responsible for whole campaign.
- Spam email – received with malicious attachment, as part of campaign
- Investigating the infection chain of document malware received with spam
- Finding the Final Malware variant and confirming it as LOKI BOT spyware
- Getting into the Command and control
- Getting traces of suspected Threat Actors who hacked the C&C (website) of Loki
- Getting crucial details about another Spyware in the same C&C and extracting crucial details
Please see the full report here