Home Malware Programs Malware LOLSnif

LOLSnif

Posted: August 6, 2020

Usually, two things may happen when a famous malware's source code gets leaked online. It may often turn into a dead project since cybersecurity experts will be able to dissect every line of its code, or it becomes the favorite tool of low-skilled cybercriminals who can rely on the ready-to-use code to craft their variants of the malware. The latter scenario gave birth to LOLSnif, a newly identified malware sample based on the infamous Ursnif Trojan. The new threat was distributed at the beginning of July 2020 actively, and it seems that is operators are relying on phishing emails to deliver the threatening payload to their victims.

LOLSnif's Propagation was Carried Out via Phishing Emails

The most extensive email campaign linked to the propagation of the LOLSnif malware used fake password-protected ZIP archives to obfuscate the payload – recipients were provided with a password that can be used to unlock the ZIP archive. This is a common strategy that cybercriminals use to make their message appear more believable. After all, why would you suspect that cybercriminals would make their malware more difficult to open? Unfortunately for the recipients of the LOLSnif email virus, they may get infected as soon as they opt to review the contents of the archive. The 'Loader' component is hidden inside a '.js' file that is named to sound like a PowerPoint presentation. Once the threatening '.js' (JavaScript) file is opened, it will initialize the attack and start unloading LOLSnif's components.

Malware researchers report that the code of the LOLSnif malware includes a section used for a Domain Generation Algorithm (DGA) – however, it is unfinished and unused. Still, the LOLSnif malware does not use a hardcoded Command and Control server and, instead, the threat actor behind it utilizes a wide range of domain names for the C2 connection.

Surprisingly, the LOLSnif's features have been redesigned, and it does not function just like the banking Trojan Ursnif. Instead, LOLSnif focuses on reconnaissance operations and the download of additional malware components on the compromised system. In the analyzed campaign, the cybercriminals used a cracked version of the Cobalt Strike post-exploitation framework and a modified variant of a popular VNC (Virtual Network Computing) client.

Loading...