Malware Authors now using Coronavirus to Push Lokibot Trojan on Unsuspecting Users
The following image is a screenshot of the first email which contains the Lokibot attachment:
Latest attacks prove there are no depths to which scammers won’t sink in order to steal from victims.
The Comodo Cyber Security research team recently discovered two opportunistic malware attacks which hope to take advantage of people’s fears and sympathies over the Coronavirus. The attacks use the classic method of spamming victims with an ostensibly trustworthy email containing malicious attachments and links. The first message reads “We are sorry for late response as our Holiday was extended due to the Corona Virus outbreak, as regards your la=t invoice, our account department has rejected payment for incorect accoun= information, please find attached your original invoice, double check and=send back for processing of payment”.
The attached ‘invoice’ is, of course, malware. In this case it is a banking trojan called ‘Lokibot’ which hoovers sensitive data such as usernames and passwords from the user’s browser. The second email has a Corona-related click-bait link which reads: “BREAKING NEWS: Military Source Exposes Shocking TRUTH About Coronavirus and the 1 thing You Must Do Before It’s TOO LATE”. Again, clicking the link causes the installation of the Lokibot malware.
As you’re undoubtedly aware by now, the Coronavirus is a deadly infection that is spreading fast around the world and has caused widespread public fear. Cybercriminals are trying to cash-in on the public interest around the virus by lacing the text of their phishing emails with Corona-related information.
The Loki emails contain a malicious attachment which has the extension “.pdf.gz”, the attacker obviously hoping people assume it is a PDF and don’t notice the .gz extension. The file installs the Lokibot banking trojan if the user opens the attachment. The trojan harvests sensitive information stored in internet browsers, including bank login details and other system information, which it then sends back to the malware authors.