2017-11-16 - MALSPAM USING CVE-2017-0199 TO PUSH LOKI BOT

ASSOCIATED FILES:

  • 2017-11-16-Loki-bot-malspam-traffic.pcap   (673,526 bytes)
  • 2017-11-16-Loki-bot-binary-7571BA.exe   (704,512 bytes)
  • 2017-11-16-Lokibot-malspam-0549-UTC.eml   (12,936 bytes)
  • 2017-11-16-josephioseph.com-timaya-htadrills.hta.txt   (2,331 bytes)
  • SKMBT_C20171116424367.doc   (6,785 bytes)

NOTES:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

 


Shown above:  Attachment is actually an RTF file with an exploit for CVE-2017-0199.

 

TRAFFIC


Shown above:  Traffic from this infection filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS:

 

FILE HASHES

RTF WITH EXPLOIT FOR CVE-2017-0199:

 

HTA FILE CALLED BY RTF:

 

FOLLOW-UP MALWARE (LOKI BOT):

 

IMAGES


Shown above:  HTTP GET request caused by the RTF file returned an HTA file.

 


Shown above:  HTTP GET request for the Loki bot binary.

 


Shown above:  Loki bot post-infection traffic.

 


Shown above:  Windows Registry update noted for persistence.

 


Shown above:  An open directory with additional malware.  I've submitted URLs for these files to VirusTotal.

 

FINAL NOTES

Once again, here are the associated files:

Zip files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.