Microsoft has discovered a new phishing campaign using COVID-19 to lure companies with the well-known information thief LokiBot.

Microsoft has discovered a new thematic phishing campaign, COVID-19, aimed at companies using the LokiBot Trojan.

Lokibot has already been used in campaigns against the coronavirus. In early April, safety experts from FortiGuard Labs discovered phishing attacks using alleged messages from the World Health Organization (WHO) to distribute the LokiBot Trojan.

The COVID-19 themed phishing campaigns recently observed by Microsoft have used headlines such as BUSINESS CONTINUITIONAL PLAN from May 2020.

Recent campaigns in which Lokibot, one of the first malware families to use COVID-19 bait, shows a slight shift in tone reflecting current conversations, with stories like BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MAY 2020

– 12. Additional reading Windows Server Management. Microsoft Security Intelligence Service (@MsftSecIntel) 13. Microsoft Security Intelligence Service (@MsftSecIntel) May 2020.

LokiBot data theft allows you to collect information from dozens of different web browsers, access browsing data, find references for more than 15 different email and file transfer clients, and search for popular remote management tools such as SSH, VNC and RDP.

In one of Microsoft’s phishing campaigns, cybercriminals pose as representatives of the Center for Disease Control and Prevention (CDC), reports promise an update on the COVID 19 pandemic and the new 2020 business continuity plan.

Another campaign uses messages claiming to be vendors and asking for updated bank details to process payments as a result of the COVID-19 virus blockade.

Messages in both campaigns use ARJ attachments that contain malicious executables disguised as PDF files.

The selection of password-protected ARJ files is intended to bypass certain security solutions. After opening the attachments, the infection process will finally start with the delivery of the LokiBot Trojan.

Microsoft noted that its Microsoft Threat Protection auto-learning algorithms were able to detect the campaign and that Microsoft users are automatically protected by Microsoft Defender.

Microsoft Defender’s advanced detection technologies, including behavioral and machine learning, immediately began to block this attack. We used a more in-depth analysis of the blocked attacks, which allowed us to define a full campaign in detail, says Tanmay Ganacharya, director of security research at Microsoft Threat Protection.

We see many advantages in using machine learning and we are in a unique position here at Microsoft because of the quality and variety of our 8.2 trillion signals we process every day with Microsoft’s intelligent security graphics.

Pierluigi Paganini

(Security service – KOVID-19, hacking)