Technical analysis by the Malware Hunter JAMESWT

New global cybercrime campaign to spread LokiBot uses a system of Chinese boxes and VelvetSweatshop to evade anti viruses. The xlsm attachment downloads a doc file which downloads an executable that starts the malware infection

LokiBot leverages a Chinese box system to spread in a new global malspam campaign. The email contains an xlsm attachment which, if opened, downloads a doc file. This, in turn, downloads an executable that starts the malware infection chain. Moreover, the cybercrime actors behind the attack also use the VelvetSweatshop technique to evade anti virus. The xls document, in fact, is protected by a password but the user is not required to enter it to open the file. The goal is to steal sensitive data from victims, usually companies. Lokibot, in fact, is a banking Trojan with keylogger capabilities, capable of stealing various types of credentials. Furthermore, it can create backdoors to download additional payloads to infected systems.

The xlsm file

The C2s contacted by the payload