Security News > 2020 > October > Spammers Smuggle LokiBot Via URL Obfuscation Tactic

Spammers Smuggle LokiBot Via URL Obfuscation Tactic
2020-10-01 16:16

Spammers have started using a tricky URL obfuscation technique that sidesteps detection - and ultimately infects victims with the LokiBot trojan.

When the PowerPoint file is opened, the document attempts to access a URL via a Windows binary, and this leads to various malware being installed onto the system.

A semantic URL attack is when a client manually adjusts the parameters of its request by maintaining the URL's syntax - but altering its semantic meaning.

In this specific campaign, the URL used actually utilizes a URL shortening service offered by Bit.ly and leads to Pastebin, which is a website that allows users to share plain text through public posts called "Pastes." Both the use of URL shortening services and Pastebin are commonly leveraged by cybercriminals; so to avoid being characterized as a short URL and to evade detection signatures, the attackers repeatedly use a randomized, short string in the userinfo portion of their URL. Because userinfo is not required to gain access to any resources, the userinfo data will be ignored when the URL is accessed - meaning that at face value, it's unclear that the URL is shortened, and will redirect the users to Pastebin despite security gates.

Finally, the last URL contains an obfuscated malware LokiBot sample, which is injected into a legitimate process by the aforementioned DLL injector.


News URL

https://threatpost.com/lokibot-url-obfuscation/159729/