{"id":128,"date":"2022-01-20T17:10:16","date_gmt":"2022-01-20T17:10:16","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=128"},"modified":"2022-01-20T17:10:16","modified_gmt":"2022-01-20T17:10:16","slug":"lokibot-in-latin-america","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2022\/01\/20\/lokibot-in-latin-america\/","title":{"rendered":"Lokibot in Latin America"},"content":{"rendered":"

Overview<\/h1>\n

The following post describes the identified TTPs and IOCs of a campaign analyzed by SCILabs, that is distributing Lokibot<\/a> in LATAM. It was identified by SCILabs while conducting a threat hunting during the third week of September. The pretext of the campaign is related to urgent financial issues such as: invoices, payment vouchers, payment notices, price quotes, payment details, and more. In this post, the respective IOCs will be provided to protect organizations.<\/p>\n

The investigation did not obtain further details on how this campaign is delivered; however, SCILabs considers the use of email phishing as the top threat vector<\/a> with a medium confidence level. After analyzing the campaign and the artifact, SCILabs determined with high confidence that the attacker’s general objective is to steal confidential information from the victims, <\/strong>as the trojan features are profiled to steal cryptocurrency wallets, usernames, passwords, and other credentials. It is important to mention that the cybercriminal infrastructure seems to be intermittently active on demand or when they launch a campaign.<\/p>\n

Finally, it is important to mention that the campaign has begun to accelerate its pace. Since, during the first half of the year, only 2<\/a> attacks<\/a>\u00a0were observed with the same characteristics, one in Mexico and the other in Peru. However, during the last 2 months a notable increase in attacks with the same characteristics has been observed in the region. Although it is not known who the campaign is targeting, SCILabs determined with medium confidence that the campaign is aimed at ordinary users but has the potential to start targeting various institutions to obtain confidential information from them. Additionally, with the intelligence of SCILabs and information obtained from public and private sources, it is possible to determine that the campaign impersonates financial sector institutions to give credibility to the phishing pretext.<\/p>\n

SCILabs will continue to analyze similar attacks as no key elements have been observed, such as the initial access method, lateral movements, or any other essential feature, which allows profiling cybercriminals and raising the level of confidence about the similarities between other campaigns and the attack analyzed throughout this post.<\/p>\n

How could it affect an organization?<\/h1>\n

The campaign can affect the confidentiality of the company\u2019s information because Lokibot\u2019s main purpose is to steal sensitive information, so there is no guarantee that information assets will be protected from unauthorized viewing, data leakage, or intrusion into organization systems.<\/p>\n

Analysis<\/h1>\n

Threat Context<\/h2>\n

\u00a0<\/strong>The artifact was detected through a threat hunt. Its specifications can be found below:<\/p>\n