Lokibot Via Abusing The Ngrok Proxy Service

It looks like one of the criminal gangs behind some of the Lokibot campaigns have found a way to serve their malware almost undetected or at least without any known host that can take down easily or be blocked.
What they have done with this series of campaigns is abuse a new(ish) service NGROK (https://ngrok.com/) which basically acts as a proxy, direct tunnel or VPN from the miscreant’s home computer or server that effectively puts the malware in the cloud & bypasses all firewalls etc.

I can’t see anything in their TOS prohibiting malware, phishing, scams etc, just a general no illegal materials. And No Abuse reporting easily available, just a standard contact email link. The Ngrok service is hosted on Amazon AWS so reporting to them is basically a waste of time because by the time they respond the malware has done its work & vanished and the malware isn’t actually stored anywhere on an Amazon server, just a link or redirect to the malware happens via Amazon AWS.

It is somewhat difficult to work out how effective this campaign is or how much this ngrok service gets abused or misused. Unfortunately the way VirusTotal works ( in the public version) doesn’t show all subdomains, so you only see known malware from the main ngrok.io domain (https://www.virustotal.com/#/domain/ngrok.io), not the potentially thousands or even millions of subdomains. But it does show enough to know we potentially have a major problem on our hands, when this so far, little known service gets misused on a much more frequent basis.

It will be a very brave network IT admin who will block Amazon AWS by IP range and blocking by the ngrok.io domain name rarely works effectively.

There haven’t been many submitted to URLHaus (https://urlhaus.abuse.ch/browse.php?search=ngrok.io) either


NGROK

Ngrok tos

This particular campaign started with an email in Spanish pretending to come from a Spanish Bank, BBVA Banco Continental, confirming a transfer ( as usual I don’t speak or read Spanish with any degree of fluency so am relying on Google translate for the information)

You can now submit suspicious sites, emails and files via our Submissions system
BBVA Banco Continental has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.

Because of the way BBVA works, it has numerous subsidiaries and branches in many countries worldwide, many using different names. it is easy to be misled by the sending email address.

Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.

The email looks like:

From: BBVA Banco Continental <[email protected]>
Date: Tue 28/05/2019 01:30
Subject: BBVA-Confirming transferencia de pago
Translated BBVA-Confirming payment transfer
Attachment: Detalles de la transferencia de pago.xls

Body Content:

Muy querido señor:
Nos complace adjuntar la información relacionada con la transferencia de pagos a su favor.
Este mensaje se envía automáticamente desde BBVA como medio de información a través del correo electrónico proporcionado.
Reciban un cordial saludo.
Banco Bilbao Vizcaya Argentaria, S.A.
Por favor, no responda a este correo ya que este es un correo automatizado sólo para notificaciones. Si tiene cualquier pregunta o sugerencia puede ponerse en contacto con nosotros en:
• Teléfono: 919190297
• Fax: 919190341
• Email:[email protected]
Si usted es cliente de BBVA podrá operar y realizar consultas a través de www.bbvanetcash.com o www.bbvanetoffice.com. Si usted no es cliente de BBVA lo podrá realizar cómodamente a través de www.BBVAnetadvance.com.
________________________________________
Aviso Legal:
Este mensaje es solamente para la persona a la que va dirigido. Puede contener información confidencial o legalmente protegida. No hay renuncia a la confidencialidad o privilegio por cualquier transmisión mala/errónea. Si usted ha recibido este mensaje por error, le rogamos que borre de su sistema inmediatamente el mensaje así como todas sus copias, destruya todas las copias del mismo de su disco duro y notifique al remitente.

No debe, directa o indirectamente, usar, revelar, distribuir, imprimir o copiar ninguna de las partes de este mensaje si no es usted el destinatario. Cualquier opinión expresada en este mensaje proviene del remitente, excepto cuando el mensaje establezca lo contrario y el remitente esté autorizado para establecer que dichas opiniones provienen de GrupoBBVA. Nótese que el correo electrónico vía Internet no permite asegurar ni la confidencialidad de los mensajes que se transmiten ni la correcta recepción de los mismos.

En el caso de que el destinatario de este mensaje no consintiera la utilización del correo electrónico vía Internet, rogamos lo ponga en nuestro conocimiento de manera inmediata.
________________________________________

Translated:

Very dear sir:
We are pleased to attach the information related to the transfer of payments in your favor.
This message is automatically sent from BBVA as a means of information through the email provided.
Receive a warm greeting.
Banco Bilbao Vizcaya Argentaria, S.A.
Please do not respond to this email as this is an automated email only for notifications. If you have any question or suggestion you can contact us at:
• Telephone: 919190297
• Fax: 919190341
• Email: [email protected]
If you are a BBVA customer, you can operate and make inquiries through www.bbvanetcash.com or www.bbvanetoffice.com. If you are not a BBVA customer, you can do it comfortably through www.BBVAnetadvance.com.
________________________________________
Legal warning:
This message is only for the person to whom it is addressed. It may contain confidential or legally protected information. There is no waiver of confidentiality or privilege for any bad / erroneous transmission. If you have received this message in error, please delete the message as well as all copies of it from your system, destroy all copies of it from your hard drive and notify the sender.

You must not, directly or indirectly, use, disclose, distribute, print or copy any of the parts of this message if you are not the recipient. Any opinion expressed in this message comes from the sender, except when the message states otherwise and the sender is authorized to establish that such opinions come from GrupoBBVA. Note that electronic mail via Internet does not guarantee the confidentiality of the messages that are transmitted nor the correct reception of them.

In the event that the recipient of this message does not consent to the use of electronic mail via the Internet, please inform us immediately.
________________________________________

Screenshot:

Fake BBVA email

Detalles de la transferencia de pago.xls Current Virus total detections: Anyrun |
Current Virus Total Detections Link 1 https://www.virustotal.com/#/file/28f4be749eb30837ae4528af7350e9528d728e52a63f178ed9cff9f367383a6d/detection
This malware XLS file downloads from http://8d2aef60.ngrok.io/Both/lotta.exe ( VirusTotal) Anyrun informed that this was an Open Directory listing So I went digging & found these files: ( all are Lokibot)
http://8d2aef60.ngrok.io/boom/Banco%20Sabadell%20Prueba%20De%20Pago.exe
http://8d2aef60.ngrok.io/Both/lotta.exe
http://8d2aef60.ngrok.io/Both/taco.exe
http://8d2aef60.ngrok.io/mine/gutty.exe
Ran each through Anyrun
https://app.any.run/tasks/0e537617-fadf-45b0-86a9-827be8be0ea2
https://app.any.run/tasks/2d0fa606-21d6-4330-a368-44194bc233dc
https://app.any.run/tasks/498bd83c-60d0-41d8-90ed-ad9b90576d8d
https://app.any.run/tasks/02c31df2-d07f-4ea3-b341-ab3f86880dda
And ended up with these C2 locations
http://vbtz.cf/BOSCO/five/fre.php
http://khialimiab.ir/wp-includes/lolo/fre.php
http://treatascholars.com/wp-includes/danc/fre.php
Email Headers:

IP Hostname City Region Country Organisation
82.223.71.217  expomaquinaria.es ES AS8560 1&1 Internet SE
127.0.0.1 Local IP

 

Received: from expomaquinaria.es ([82.223.71.217]:48447)
	by my email server with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.91)
	(envelope-from <[email protected]>)
	id 1hVQGO-0007v3-8z
	for [email protected]; Tue, 28 May 2019 01:46:48 +0100
Received: from webmail.expomaquinaria.es (36.71.223.82.arsystel.com [127.0.0.1])
	by 36.71.223.82.arsystel.com (Postfix) with ESMTPA id 5AFF820F799B;
	Tue, 28 May 2019 02:30:24 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=expomaquinaria.es;
	s=default; t=1559003425;
	bh=/58bSbSUOAJMtyDrnJFY/qXMQimNeeTCaWvSUi//TYY=; l=56499;
	h=From:To:Subject;
	b=tDa5BXEvS9ZQj3PMP4HDtgGHD2VaZjOmnIWIl2azv/ua5ftghfKEgZVtiB907Ah5t
	 Du2KOJhi+Q+lbHLUFrBbUHLDj5qVvjbqzvys+pIH1dolLV8GXaQ/EgGmKkRJq5bSaS
	 GMzYbHFu4T0p7Hyt9WHmo9EJeiX94itI98lNn5yw=
Authentication-Results: 36.71.223.82.arsystel.com;
        spf=pass (sender IP is 127.0.0.1) [email protected] smtp.helo=webmail.expomaquinaria.es
Received-SPF: pass (36.71.223.82.arsystel.com: connection is authenticated)
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="=_5db0f90dde33528c731871a31154012d"
Date: Tue, 28 May 2019 01:30:24 +0100
From: BBVA Banco Continental <[email protected]>
To: undisclosed-recipients:;
Subject: BBVA-Confirming transferencia de pago
In-Reply-To: <143074687.2634504.1558985760778.JavaMail.xpbrk01p@apgde001>
References: <143074687.2634504.1558985760778.JavaMail.xpbrk01p@apgde001>
Message-ID: <[email protected]>
X-Sender: [email protected]
User-Agent: Roundcube Webmail/1.2.7

All the alleged senders, companies, names of employees, phone numbers, amounts, reference numbers etc. mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found . The bad guys choose companies, Government departments and other organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.

This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you.
Modern versions of Microsoft office, that is Office 2010, 2013, 2016 and Office 365 should be automatically set to higher security to protect you.

By default protected view is enabled and macros are disabled, UNLESS you or your company have enabled them. If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in windows explorer or your email client might well be enough to infect you. Definitely DO NOT follow the advice they give to enable macros or enable editing to see the content.

Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365. Some versions pretend to have a digital RSA key and say you need to enable editing and Macros to see the content. Do NOT enable Macros or editing under any circumstances.

What Can Be Infected By This

At this time, these malicious macros only infect windows computers. They do not affect a Mac, IPhone, IPad, Blackberry, Windows phone or Android phone.

The malicious word or excel file can open on any device with an office program installed, and potentially the macro will run on Windows or Mac or any other device with Microsoft Office installed. BUT the downloaded malware that the macro tries to download is windows specific, so will not harm, install or infect any other computer except a windows computer. You will not be infected if you do not have macros enabled in Excel or Word. These Macros do not run in “Office Online” Open Office, Libre Office, Word Perfect or any other office program that can read Word or Excel files.

Please read our How to protect yourselves page (https://nftsgary.com/how-to-protect-yourself-and-tighten-security/) for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them

Be very careful with email attachments. All of these emails use Social engineering (https://en.wikipedia.org/wiki/Social_engineering_(security)) tricks to persuade you to open the attachments that come with the email. It might be a simple message saying “look at this picture of me I took last night” that appears to come from a friend. It might be a scare ware message that will make you open the attachment to see what you are accused of doing. Frequently it is more targeted at somebody ( small companies etc.) who regularly receive PDF attachments or Word .doc attachments or any other common file that you use every day, for example an invoice addressed to [email protected].

The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family love to send us pictures of them doing silly things, or even cute pictures of the children or pets. Many of us routinely get Word, Excel or PowerPoint attachments in the course of work or from companies that we already have a relationship with.

Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. A lot of malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball”, an invoice or receipt from some company for a product or service or receive a Word doc or Excel file report that work has supposedly sent you to finish working on at the weekend, you can easily see if it is a picture or document & not a malicious program. If you see JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.

With these malformed infected word, excel and other office documents that normally contain a vba macro virus, the vital thing is do not open any office document direct from your email client or the web. Always save the document to a safe location on your computer, normally your downloads folder or your documents folder and scan it with your antivirus. Many Antiviruses do not natively detect vba macro-viruses in real time protection and you need to enable document or office protection in the settings. Do not rely on your Anti-Virus to immediately detect the malware or malicious content. DO NOT enable editing mode or enable macros

All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is word docs, excel files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware or macros from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document until you are 100% sure that it is a safe document. If the protected mode bar appears when opening the document DO NOT enable editing mode or enable macros the document will look blank or have a warning message, but will be safe.

Be aware that there are a lot of dodgy word docs spreading that WILL infect you with no action from you if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. Many of us have continued to use older versions of word and other office programs, because they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version. The risks in using older version are now seriously starting to outweigh the convenience, benefits and cost of keeping an old version going.

I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.

IOC:
http://vbtz.cf/BOSCO/five/fre.php
http://khialimiab.ir/wp-includes/lolo/fre.php
http://treatascholars.com/wp-includes/danc/fre.php
http://8d2aef60.ngrok.io/boom/Banco%20Sabadell%20Prueba%20De%20Pago.exe
http://8d2aef60.ngrok.io/Both/lotta.exe
http://8d2aef60.ngrok.io/Both/taco.exe
http://8d2aef60.ngrok.io/mine/gutty.exe
Main object- “Detalles de la transferencia de pago.xls”
sha256 28f4be749eb30837ae4528af7350e9528d728e52a63f178ed9cff9f367383a6d
sha1 ef9e761e57bb2cec574b3d4e8804eeb878f55f42
md5 ca02a3030dd507a0e29527f84448aed6
Dropped executable file
sha256 C:\Users\admin\AppData\Roaming\03B51E\EE03AE.exe 38e5b46c9fc0676d210eb6f5bac809ebc90ac8d421213dbc1dd67d61358edb73
DNS requests
domain 8d2aef60.ngrok.io
domain khialimiab.ir
Connections
ip 3.19.114.185
ip 185.55.225.242
HTTP/HTTPS requests
url http://8d2aef60.ngrok.io/Both/lotta.exe
url http://khialimiab.ir/wp-includes/lolo/fre.php