Spam Campaigns Delivering Marap and Loki Bot Malware with ICO and IQY Files

A spam email campaign is being conducted focusing on targeting corporate email accounts to share Loki Bot malware. Loki Bot malware is a data stealer capable of obtaining passwords stored in browsers, obtaining email account passwords, FTP client logins, cryptocurrency wallet passwords, and passwords in placed for messaging apps.

Along with stealing saved passwords, Loki Bot malware has keylogging capabilities and is possibly capable of installing and running executable files. All data captured by the malware is transferred to the hacker’s C2 server.

Kaspersky Lab researchers identified an increase in email spam activity focusing on corporate email accounts, with the campaign discovered to be used to spread Loki Bot malware. The malware was sent hidden in a malicious email attachment.

The intercepted emails included an ICO file attachment. ICO files are duplicates of optical discs, which are usually mounted in a virtual CD/DVD drive to open. While specialist software can be used to open these files, the majority of modern operating systems have the ability to access the contents of the files without the need for any extra software.

In this instance, the ICO file includes Loki Bot malware and double clicking on the file will result in a downloading of the malware on operating systems that support the files (Vista and later).

It is relatively unusual for ICO files to be used to deliver malware, although not unheard of. The unfamiliarity with ICO files for malware delivery may see end users try to open the files.

The campaign included a wide variety of lures including fake purchase orders, speculative enquiries from companies including product lists, fake invoices, bank transfer details, payment requests, credit alerts and payment confirmations. Well-known businesses such as Merrill Lynch, Bank of America, and DHL were spoofed in some of the emails.

A different and unrelated spam email campaign has been discovered that is using IQY files to deliver a new form of malware known as Marap. Marap malware is a installer capable of downloading a variety of different payloads and additional modules.

During installation, the malware fingerprints the system and gathers data such as username, domain name, IP address, hostname, language, country, Windows version, details of Microsoft .ost files, and any anti-virus solutions detected on the infected computer. What happens next depends on the system on which it is downloads. If the system is of particular interest, it is earmarked for a more thorough extensive compromise.

Four separate campaigns involving millions of messages were discovered by experts at Proofpoint. One campaign included an IQY file as an attachment, one included an IQY file within a zip file and a third used an embedded IQY file in a PDF file. The fourth used a Microsoft Word document including a malicious macro. The campaigns seem to be targeting financial institutions.

IQY files are used by Excel to download web content straight into spreadsheets. They have been used in many spam email campaigns in recent weeks to install a range of different malware variants. The file type is proving popular with cybercriminals because many anti-spam solutions fail to recognize the files as malicious.

Since most end users would not have any need to open ICO or IQY files, these file types should be placed on the list of blocked file types in email spam filters to prevent them from being shared to end users’ inboxes.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has focus on data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone. https://twitter.com/ElizabethHzone
Twitter