Seeing some changes to Lokibot with this malware delivery campaign overnight. I don’t know if it is a complete change to the C2 url naming convention or whether it is only this particular actor using a different C2 url naming convention. Generally with Lokibot the quickest & easiest way to identify it, is the “fre.php” in the C2 URL. Today we are seeing “cat.php”. The delivery email with the subject of Request For Invoice pretending to come from [email protected] with a malicious word doc attachment that contains an RTF exploit is typical of common malware delivery methods that is currently being used … Continue reading →
Article Link: https://myonlinesecurity.co.uk/lokibot-campaigns-continue-with-some-changes-to-c2-urls/