Lokibot | BlackSquid | GoldBrute Botnet

Alert ID: 
JMCIRT-AL-2019.035
Alert Date: 
Friday, June 7, 2019
Threat Level: 
High

 

Lokibot Malspam Campaign
Original release date: June 6, 2019

Jamaica CIRT has become aware of a new campaign utilizing Lokibot masquerading as financial emails.

Overview
Lokibot is an information and crypto wallet stealing Trojan that has continued use for several years. The initial infection vector sources from an email with the subject “Payment Sent:MT103 HSBC1228991306 Priority payment/Customer Ref:[5400096410D00117]”. This email masquerades as a confirmation notice of a transfer of funds and requests that the victim opens the attachment included in the email. This attachment is actually named “Transfer Copy.zip” and within the compressed file is “Transfer Copy.exe”, a known trait of the malware..

Recommendations
• Block all URL and IP based IOCs at the firewall, IDS, web gateways, routers or other perimeter-based devices.
• Use updated anti-virus and ensure your current vendor has coverage for this campaign.
• Search for existing signs of the indicated IOC's in your environment and email systems
• Keep updated patches on all critical and non-critical systems.
• Never open unsolicited or unverified email attachments.


BlackSquid
Original release date: June 7, 2019

Jamaica CIRT has become aware of a new malware family labelled "BlackSquid".

Overview
This malware targets web servers, network drives, and removable drives. For defense, BlackSquid employs anti-virtualization, anti-debugging, and anti-sandboxing methods, and will abort its installation if it determines it is being examined. Usernames are checked against a list of common sandbox usernames, disk drive model names are compared to common virtual drive names, and the device driver names are also compared against a list of common names to determine if the infection should continue or not. For offense, it utilizes eight exploits, including EternalBlue and DoublePulsar, as well as dictionary attacks to gain access to its target. Once installed, it has the ability to propagate laterally within the network.

Recommendations
• Keep applications and operating systems running at the current released patch level
• Ensure anti-virus software and associated files are up to date
• Verify, through a separate channel, the legitimacy of any unsolicited email attachments - delete without opening if you cannot validate
• Search for existing signs of the indicated IoCs in your environment
• Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices


GoldBrute Botnet
Original release date: June 7, 2019

Jamaica CIRT has become aware of a botnet named GoldBrute currently attempting to brute-force credentials on Internet accessible RDP servers.

Overview
The number of servers the botnet is attempting to exploit is reportedly in the region of 1.5 million. If a server is successfully compromised, the server will then download and install the botnet code. The botnet is written in Java and the required Java runtime is part of the botnet code download. The infected server will communicate with the C&C server using an encrypted (AES) websocket on port 8333 and then scan random IP addresses to locate further systems with exposed RDP services. An interesting feature of the botnet is the manner in which it assigns servers to attempt to brute force with each bot trying only one username and password per target system.

Recommendations
• Ensure RDP is NOT open to the internet
• Ensure strong passwords are used for RDP service
• Keep applications and operating systems running at the current released patch level