Files packaged with Excel-DNA from which a dll containing 2 urls pointing to Discord is extracted. These download data files and encode them with XOR creating additional DLLs, which initiate the malware infection.
Technical analysis by the Malware Hunter JAMESWT
New Lokibot campaign via catalog request. The email gz attachment contains an exe: the malware itself. Opening it, the infection is activated
The latest global Lokibot campaign uses a catalog request as a lure.
The email gz attachment contains a followable file, the malware itself. This, if opened, activates the infection. The goal of the cybercrime behind the operation is to steal sensitive information from the victim. Lokibot (aka Loki PWS and Loki-bot) is an information — stealer, which acquires credentials, cryptocurrency wallets, and other types of data.