LokiBot and Jigsaw tandem spreads via new malspam campaign

New LokiBot banking Trojan campaign pushes Jigsaw ransomware payload

LokiBot trojan spreads JigsawLokiBot info stealer is a hybrid Trojan, which exhibits ransomware traits

The latest version of the info-stealing trojan malware LokiBot[1] now spreads a new variant of Jigsaw ransomware[2], experts from the Malwarehunter team[3] reported on the 1st of May, 2020. LikiBot is an old and well-known banking malware, which stands out from the crowd due to mixed traits of a Trojan and ransomware.

Typically, LokiBot ransomware stage is automatically activated if the owner of the infected device attempts to remove the malware. The trojan exhibits an inbuilt command Go_Crypt, which once activated destructs the Trojan and enables the AES cipher to encrypt (or rename) files on the SD card if its a mobile device or other corresponding locations if it's a Windows PC. Subsequently, LokiBot generates an FBI lock screen, which contains accusations for viewing child pornography[4] and demand to pay $70 or $100 in Bitcoins to prevent legal punishment.

The latest LokiBot and Jigsaw tandem is slightly different. Not deviating from the previous campaigns, the new strain is distributed via malspam attacks with the help of bots when fictitious invoices, transfers, order confirmations, and similar documents in a format of excel sheet (wift.xlsx, orders.xlsx, Invoice For Payment.xlsx, Inquiry.xlsx) are distributed in masses. Hackers exploit Microsoft Office CVE-2017-11882[5] vulnerability, which enables to push the trojan once the potential opens the Excel and thus grants the access.

However, this time LokiBot does not wait until victims try to remove it. The trojan launches the cjjjjjjjjjjjjjjjjjjj.exe executable and starts scanning the system for sensitive information. Once it manages to get some passwords, logins, banking information, and other credentials, it connects to the remote server to download Jigsaw ransomware. Once the payload is downloaded and run, all personal files on a victim’s device get a .zemblax file extension and can no longer be opened.

Jigsaw ransomware can be decrypted

Jigsaw ransomware was extremely active in 2016. Though a one-year span its developers managed to release more than 45 diverse versions and attack thousands of people in England, Turkey, Germany, Spain, Portugal, and Vietnam.

In terms of programming, Jigsaw is not the most dangerous ransomware virus. In fact, it does not deviate much from other viruses that belong to this class. It uses AES cipher to lock files and appends a specific file extension. Besides, it generates a ransom note and changes desktop background image to characters from movies Saw, Jigsaw, Hitman, and others. Typically, it asks for $150 ransom in Bitcoins within 24 hours.

However, one thing makes Jigsaw stand out from the crowd. Once it locks the files, it sets a timer to 24 hours and deletes a part of encrypted data if the payment is not received on time. According to researchers, it is possible to prevent this from happening:

  • A victim has to find the drpbx.exe process within Task Manager and disable it;
  • Then restart the system into Safe Mode and run a full anti-malware scan to eliminate both LokiBot and Jigsaw;
  • Use a free Jigsaw decryption software[6] to unlock corrupted files.

Measures to take to prevent LokiBot attack and how victims should react

LokiBot Trojan relies on malspam attacks. Since 2015 until now there is no other way that its developers would rely on. Thus, probably the best working precautionary measure to stay away from this info-stealer is to stay away from suspicious emails that carry attachments.

LokiBot can spread in attachments from compromised trusted senders like in the campaign in 2019 US manufacturing company. However, usually, the emails are poorly prepared, i.e. many grammar and typo mistakes left.

One of the newer campaigns initiated at the beginning of this year misused the launcher of Epic Games[7]. In this case, Fortnite and other multiplayer video game lovers may easily slip on this trick because the email uses the original Epic Games logo and other credible information. However, the attached launcher asks for the user’s permission to be launched, which is usually a sign that an email is infected with a virus.

Last, but not least, the current LokiBot campaign. According to researchers, the emails are distributed by bots using LCG Kit, which exploits an old Microsoft Office (Excel in particular) vulnerability. The emails carry Excel sheet Inquiry.xlsx, which contains well-prepared import details, including codes of the supposed products, weight, size, place, carrier information, and similar. Therefore, the victim is not very likely to understand that a LokiBot payload has just been deployed.

To protect yourself from such and similar attacks, make sure to download updates for your OS regularly. Do the same with the software updates. Besides, keep a professional anti-virus program with real-time protection enabled all the time. Make sure it has the latest virus definitions as well. Finally, if you have doubts about an email message, which has an attachment, it’s always better not to open it without scanning or replying to the sender with a question if the attachment is safe.

Those Windows and Android users who have been hit by LokiBot and ransomware related to it are strongly recommended to change passwords immediately for all important accounts. Besides, contact your bank or credit card’s fraud department to report a potential theft of credentials[8]. Usually, they can apply anti-fraud activities and strengthen the forces to protect your account from unauthorized access.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions