Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Emerging Threat on TSPY_LOKI

    • Updated:
    • 24 Jul 2017
    • Product/Version:
    • Deep Security 10.0
    • Deep Security 10.1
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Hosted Email Security 2.0
    • Hosted Email Security 3.0
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • InterScan Web Security Virtual Appliance 5.6
    • InterScan Web Security Virtual Appliance 6.0
    • OfficeScan 11.0
    • OfficeScan XG.All
    • ScanMail for Exchange 10.2
    • ScanMail for Exchange 11.0
    • ScanMail for Exchange 12.0
    • ScanMail for Lotus Domino 5.0 AIX
    • ScanMail for Lotus Domino 5.0 Windows
    • ScanMail for Lotus Domino 5.0 zLinux
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Worry-Free Business Security Standard/Advanced 9.5
    • Platform:
    • N/A N/A
Summary

TSPY_LOKI is a Spyware malware that can steal username and password. Some samples contain another malware (NEUREVT) that can be used to remotely execute backdoor commands. The malware arrives as an archived attachment or embedded on spammed document from a SPAM email. The SPAM Email utilizes Social Engineering Techniques to lure receivers into clicking and opening the malicious attachment.

TSPY_LOKI Infection Chain

Click image to enlarge

VSAPI Pattern (Malicious File Detection)

LayerPatternPattern branch/versionReleased date/time (GMT+8)
INFECTIONTSPY_LOKI.NIL13.483.006/21/2017
INFECTIONTSPY_LOKI.A12.245.001/1/2016

Web Reputation (Malicious URL’s and Classification)

CategoryURLRatingBlocking Date (GMT+8)
EXPOSUREhxxp://microintegratedservice{blocked}.com/kb/kboi/fre.phpC&C Server5/18/2017
EXPOSUREhxxp://{blocked}86.105.227.34/1/fre.phpC&C Server6/16/2017
EXPOSUREhxxp://guugle{blocked}.blackfriday/klinzxap/abgo/fre.phpC&C Server4/20/2017
EXPOSUREhxxp://barclays.microintegratedservice{blocked}.com/emmy/fre.phpC&C Server5/18/2017
EXPOSUREhxxp://rejoladhospital{blocked}.com/Denis/fre.phpC&C Server6/16/2017
EXPOSUREhxxp://iykelink{blocked}.ga/kunle/fre.phpC&C Server6/16/2017
EXPOSUREhxxp://microintegratedservice{blocked}.com/kb/kboi/fre.phpC&C Server5/18/2017
EXPOSUREhxxp://actorsmeetup{blocked}.info/macro/edit/sexxings/fre.phpC&C Server6/16/2017
EXPOSUREhxxp://baba102{blocked}.ga/baba102/fre.phpC&C Server6/16/2017
EXPOSUREhxxp://smpn9bogor{blocked}.sch.id/aa/Panel/five/fre.phpC&C Server6/16/2017
EXPOSUREhxxp://online-prodaja{blocked}.rs/tz/Panel/five/fre.phpC&C Server6/16/2017
EXPOSUREhxxp://a19tech{blocked}.com/images/Panel/five/fre.phpC&C Server6/16/2017
EXPOSUREhxxps://jibnd{blocked}.com/wp/wp-ups/wp_config/wp-files/fre.phpC&C Server6/16/2017
EXPOSUREhxxp://xurbotec{blocked}.com/kunavut/fre.phpC&C Server6/16/2017
EXPOSUREhxxp://brimstonetrading{blocked}.biz/e7/Panel/five/fre.phpC&C Server6/15/2017
EXPOSUREhxxp://microintegratedservice{blocked}.com/kb/kboi/fre.phpC&C Server5/18/2017
EXPOSUREhxxp://searchprioritysake{blocked}.info/apostle/contents/plugins/fre.phpC&C Server6/16/2017
EXPOSUREhxxp://southeasterncontractingco{blocked}.com/NG/TQAZ/fre.phpC&C Server6/16/2017
EXPOSUREhxxp://nightblazedepor{blocked}.info/language/encode/en/fre.phpC&C Server6/16/2017
EXPOSUREhxxp://zaqxswng{blocked}.com/dm/fre.phpC&C Server6/16/2017
EXPOSUREhxxp://{blocked}192.99.2.94/~drholzgm/mm/Panel/five/fre.phpC&C Server6/16/2017
EXPOSUREhxxp://{blocked}84.38.129.125/donbig/fre.phpC&C Server6/16/2017

Antispam Pattern

LayerDetectionPattern branch/versionReleased date/time (GMT+8)
ARRIVALSpam MailAS31326/15/2017

Aegis Pattern (Behavior Monitoring Pattern)

LayerDetectionPattern branch/versionReleased date/time (GMT+8)
AEGIS2947TTMTD 16797/12/2017
 
Make sure to always use the latest pattern available to detect the old and new variants of TSPY_LOKI.
Details
Public

Solution Map - What should customers do?

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternAntispam PatternNetwork Pattern
OfficeScan11 SP1 above






Update Pattern via web console
Update Pattern via Web console








Enable Web Reputation Service*




Update Pattern via web console



Not Applicable

Update Pattern via web console
Worry-Free Business SuiteStandard
Not Applicable
Advanced/MSAUpdate Pattern via web console
Hosted
Deep Security8.0 and above





Not Applicable
Update Pattern via web consoleNot ApplicableUpdate Pattern via web console
ScanMailSMEX 10 and later


Not Applicable


Update Pattern via Web console


Not Applicable
SMD 5 and later
InterScan MessagingIMSVA 8.0 and above
InterScan WebIWSVA 6.0 and later
Deep DiscoveryDDI 3.0 and laterNot ApplicableUpdate Pattern via web console

Recommendations

Threat Report

Premium
Internal
Rating:
Category:
SPEC
Solution Id:
1117830
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.