Its security researchers FortiGuard Labs have discovered a new campaign that exploits its outburst Coronavirus COVID-19, sending emails which are supposed to come from the World Health Organization (WHO) with the aim of spreading a malware, LokiBot trojan. The malware campaign on COVID-19 was revealed on March 27, when researchers discovered emails allegedly coming from the WHO with the aim of announcing ways to deal with the misinformation related to the outbreak of COVID-19. These emails use an attachment entitled "COVID_19- WORLD ORGANIZATION HEALTH CDC_DOC.zip.arj", which is distributed by LokiBot trojan.
FortiGuard Labs recently discovered a new email on COVID-19 sent by [159.69.16 [.] 177], which uses the World Health Organization's trademark, in an effort to convince recipients of its authenticity. . The email is entitled "Coronary heart disease (COVID-19)" Significant announcement [.]. It also includes an attachment entitled "COVID_19- WORLD ORGANIZATION HEALTH CDC_DOC.zip.arj" which appears to contain additional information, but is in fact a trap for recipients to receive malware. In addition, the email contains information about the pandemic along with suggestions and treatment tips. It is written in English, but researchers believe that hackers hiding behind this campaign are not English-speaking, given the spelling, grammar and punctuation they use. The message is supposed to come from a WHO Disease Control Center. Hackers seem to be linking his name WHERE with the US Centers for Disease Control (CDC), despite the fact that the two organizations are separate. The attached “COVID_19- WORLD ORGANIZATION HEALTH ORGANIZATION CDC_DOC.zip.arj” is a compressed file in ARJ format, a format most likely used to avoid detection. By clicking on the attachment and decompressing the file, users will see an "DOC.pdf.exe" extension instead of "Doc.zip.arj", which prompts them to open the file.
Once the file is opened, the LokiBot trojan infusion begins. Then, malware steals sensitive information, such as various credentials, including FTP credentials, stored passwords email, passwords stored in Browser and other. URL: hxxp: / / bslines [.] Xyz / copy / five / fre.php.
LokiBot has been known since 2015. It is a malware that has been used in many malspam campaigns to steal credentials from browsers, customer emails, management tools, and has also been used to target cryptocurrency holders. The original LokiBot malware was developed and sold via email by a hacker who appears on the internet under the pseudonym "lokistov" (also known as Carter). It was initially advertised in many hacking forums, selling for up to $ 300, and later other hackers began offering it for under $ 80 to "underworlds." cybercrime.
Researchers at FortiGuard have found that users around the world are infected with the specific malware campaign that exploits COVID-19, most of which are found in Turkey (29%), Portugal (19%), Germany (12%), Austria (10%) and USA (10%). Infections related to this campaign have also been identified in Belgium, Puerto Rico, Italy, Canada and Spain.