Threat Research

New Loki Variant Being Spread By Phishing Email

By Xiaopeng Zhang | November 15, 2018

FortiGuard Labs Breaking Threat Research 


A new phishing email was brought to the attention of the FortiGuard Labs team today. After a quick analysis, I found that it was spreading a new variant of the Loki malware. In this blog I will walk you through what it does.

Figure 1. The phishing email

You can see that the phishing email in Figure 1 contains an attachment named “Invoice 5001H5.iso”. The ISO file looks like an invoice file. The email body also says that the attachment is an invoice. These are common tricks used to convince a victim to open an infected attachment.

An ISO file is an image file that can be mounted as a virtual DVD drive by virtual DVD software such as “WinISO” or “PowerISO”, or opened by file archiver utilities such as “7Zip” and “Winzip”. Figure 2 shows the ISO file after it is opened in a file archiver. As you can see, there is an executable file loaded inside of it. 

Figure 2. ISO sample opened in a file archiver

Now that I have identified this file, I can extract it to a local disk for analysis. The executable file’s name is “Invoice 5001H5.exe”. Fortunately, the ISO file does not contain an autorun.inf file, which can automatically run any executable file once the ISO file is mounted as a virtual DVD drive. On Windows 10 and later versions, there is a built-in way to mount an ISO file as a virtual DVD drive by simply double-clicking on the ISO file.

“Invoice 5001H5.exe” file was developed using MS Visual Basic, and was newly compiled on November 14, 2018 at 12:27:07 AM (in my time zone). Figure 3 is a screenshot of the file in a PE tool.

Figure 3. The sample’s information in a PE tool

When the executable file runs it extracts a second executable into its memory and then runs that file. That extracted file is the main module of Loki. I did a quick comparison against a sample that I previously analyzed in 2017. I found it performs the exactly same jobs as the previous version, whose purpose was to steal software credentials from a victim’s Windows system. The targeted software can be classified as Browser software, IM software, FTP software, Game software, File Manager software, SSH/VNC Client software, Password Manager software, Email Client software and Notes/To-do List software. More details about Loki malware can be found in my previous blog.

The only new thing in this more recent variant is the URL of its C&C server, which is encrypted in its memory. Figure 4 shows the decrypted URL, which in this variant is “hxxp://”.

Figure 4. Decrypted URL of the C&C server

Figure 5 shows a screenshot of the Loki packet that reports to this C&C server, along with the software credentials stolen from my Windows testing system.

Figure 5. Send stolen credentials to its C&C server



"hxxp://" has been rated as Malicious Websites by the FortiGuard WebFilter service. “Invoice 5001H5.iso” and “Invoice 5001H5.exe” are detected as ”W32/LOKI.4D5D!tr.dldr” by the FortiGuard AntiVirus service.





Sample SHA256:

[Invoice 5001H5.iso]


 [Invoice 5001H5.exe]




New Loki Variant Being Spread via PDF File

Sign up for our weekly FortiGuard Threat Brief. Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolio.