Data Security

Hackers using Drake’s kiki do you love me to drop Lokibot malware

It is no surprise that hackers use songs as bait to spread malware, but their song choice is debatable. 

According to a report from cybersecurity firm AppRiver, a hacker going by the online handle of Master X is exploiting lyrics of Drake’s very popular song “In My feelings- Kiki Do You Love Me” to drop PowerPoint malware.

In their campaign, the hacker hides the lyrics in a PowerShell script and uses PowerPoint to spread two of the most malicious malware Azorult and Lokibot. The hacker then manually selects which malware is to be dropped on which user.

For your information, Azorult is a RAT (remote access Trojan) that can infect any computer successfully while Lokibot is a data-stealing malware. Azorult was previously found targeting thousands of Magneto sites and spreading PayPal themed banking malware

Lokibot, on the other hand, is capable of converting itself into full flagged ransomware. The malware was found targeting Android and using ISO image files to spread its infection.

According to AppRiver’s blog post, the PowerShell script has a reference to Drake’s song’s lyrics, and this is an email-based campaign where a user is asked to download a PowerPoint attachment, which is part of the email. This attachment is infected with either Lokibot or Azroult. 

AppRiver researchers also shared a sample of these infected emails. The email’s subject line indicates that it is a conventional Business Email Compromise (BEC) campaign. The subject line also contains a call to action, which reads “TT Remittance Advice.” The email generally has two PowerPoint attachments namely “INVOO13433361.pss” and “Blank slip.pss.”

Image credit: AppRiver

AppRiver’s security analyst David Pickett explained that when the recipient opens any of the two attachments, a “heavily obfuscated visual basic script” is automatically executed. This script uses a Windows-based Microsoft HTML application host dubbed “mashta.exe” to access a Bitly shortened link to disable all the security features of a browser. Mshta.exe is primarily used for executing HTML applications and also helps in running script on Windows OS.

Once the file is executed, the attacker is able to create a command line to kill Word or Excel if running, and access Pastebin to reach out to an encoded script. Basically, the attacker creates a “scheduled task” for mshta.exe to access Pastebin every 60 mins and the encoded script is retrieved to determine which malware is to be dropped on the device.

The Pastebin code is translated into a PowerShell command containing a reference to the abovementioned song’s lyrics. Interestingly, the hacker has spelled Kiki as Keke in the PowerShell script.

Image credit: AppRiver

“‘Master X’ also obfuscated the ‘DownloadString’ inside this PowerShell script below in another attempt to avoid defense solutions monitoring PowerShell activity,” AppRiver revealed.

Finally, the PowerShell script accesses to download the code for the executable Calc.exe. This file infects the targeted computer.

The prime targets of this campaign seem to be enterprises since the email is disguised as a corporate email. Whether this campaign has been successful or not, it is yet unclear but we do know that it hasn’t managed to infect a large number of computers as of now.

To Top

Pin It on Pinterest

Share This