Spearphishing Campaign Exploits COVID-19 To Spread Lokibot Infostealer


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Researchers have discovered threat actors once again capitalizing on the COVID-19 pandemic and current attention on the World Health Organization (WHO) with a new spearphishing email designed to spread the LokiBot trojan sent using the WHO trademark as a lure.

Researchers at FortiGuard Labs on March 27 first observed the malicious COVID-19-themed scam, which claims to be from the WHO and attempts to address misinformation related to the pandemic to convince users it’s authentic. Instead, it sends an attachment that unleashes the infostealer LokiBot if downloaded and executed, according to a blog post published Thursday by threat analyst Val Saengphaibul.

“The body of the email contains multiple points about infection control and other suggestions and recommendations, which is obviously a lure to further compel the recipient to continue reading,” he wrote in the post. “And in a twisted fashion, the messaging pretends to address misinformation related to COVID-19/Coronavirus.”

While the message, written in English, has legitimate characteristics, the threat actors behind it likely do not speak English as a first language due to “some obvious grammatical, punctuation and spelling issues,” Saengphaibul pointed out.

The message also makes an obvious blunder by saying it is from the WHO Center for Disease Control, linking the Switzerland-based WHO to the U.S. Center for Disease Control (CDC)—two entirely separate organizations. Moreover, in the body of the message, the author uses the British spelling of Center, “Centre,” when referring to the CDC instead of the American spelling.

If a victim makes it this far, the email contains an attachment “COVID_19- WORLD HEALTH ORGANIZATION CDC_DOC.zip.arj” compressed file, which can be opened with 7-Zip. ARJ is a compression format for “creating highly efficient compressed archives” and is likely an evasion tactic on the part of the threat actors, Saengphaibul wrote.

“The attackers behind this latest attack likely hope that the ARJ format might allay the concerns of an unsuspecting victim about opening an unknown attachment, given that the populace has been trained to not open suspicious file extensions such as .exe,” he wrote.

If those receiving the message click on the attachment and decompress the file, it transforms to one that has a “DOC.pdf.exe” extension rather than the “Doc.zip.arj,” which could still fool users with “a lapse of judgment” or who don’t notice the new extension into clicking on it, Saengphaibul said.

If they do, the file infects the victim’s system with Lokibot, an infostealer that lifts a variety of credentials from the user’s system — including FTP credentials, stored email passwords, passwords stored in the browser and others, he said.
Last edited: