Cyber Incident Victim: US Manufacturing Company
Date:
Aug 2019
Location:
United States of America
Summary
A US manufacturing company was targeted in a malspam campaign distributing the LokiBot information stealer, designed to harvest credentials from web browsers, email clients, administrative tools, and cryptocurrency wallets. Attackers sent phishing emails to sales addresses, masquerading as urgent requests for quotations, from a compromised trusted sender IP address previously linked to other targeted attacks. The malicious attachment, a compressed archive disguised as a game executable, deployed LokiBot upon opening. This variant deviated from earlier versions by omitting steganography techniques. The campaign exhibited low-volume, highly targeted characteristics, with linguistic inconsistencies suggesting non-native English authorship, and leveraged infrastructure associated with prior intrusions against entities like a German bakery.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around August 21, 2019, Fortinet's FortiGuard SE Team identified a targeted malspam campaign distributing the LokiBot information stealer malware against a large US manufacturing company. The campaign involved phishing emails sent to the sales email addresses of company employees, originating from a compromised trusted sender with the IP address 23[.]83[.]133[.]8. The malicious emails contained attachments disguised as urgent business documents, specifically referencing "RFQ" (request for quotation) terminology in filenames such as "Please see ‘attache" to entice victims into opening them. These attachments were compressed archives that deployed the LokiBot payload upon execution. The malware sample used in this attack was compiled on the same date it was first detected (August 21) and was uniquely disguised as a Dora The Explorer game executable file to evade suspicion.
LokiBot, active since 2015, is a commodity malware known for harvesting credentials from web browsers, email clients, administrative tools, and cryptocurrency wallets. Originally developed and sold by a threat actor using the alias "lokistov" (also known as Carter) on hacking forums for prices up to $300, it later became available for under $80 in underground markets. This variant differed from earlier iterations by omitting steganography techniques previously used to conceal malicious code. Analysis revealed the same attacker IP address had been leveraged in prior campaigns, including a June 17, 2019 attack against a German bakery involving Chinese-language spam emails. The low volume of emails sent via this IP suggested its operators specialized in highly targeted attacks rather than broad distribution. The phishing emails exhibited linguistic irregularities indicative of non-native English composition, further aligning with historical patterns of limited-scale, precision-focused threat activity. Fortinet published technical indicators of compromise (IOCs) related to the campaign but disclosed no specific information regarding the victim company’s operational disruptions, data exfiltrated, or containment measures undertaken.