| Name | Lokibot |
| Additional Names | Lokibot, Loki PWS, and Loki-bot |
| Type of Malware | Infostealer, trojan |
| Date of Initial Activity | 2015 |
| Motivation | Steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials |
| Attack Vectors | Phishing emails, malicious websites, SMS, and other messaging platforms |
| Targeted System | Windows and Android |
| Associated Groups | SilverTerrier Group |
Overview
LokiBot is commodity infostealer for Windows. It harvests credentials from a variety of applications, web browsers, email clients, IT administration tools such as PuTTY, and more. LokiBot has been sold on hacking forums and believed to have had its source code leaked, thus allowing for a range of variants to appear.
It was first identified in 2015. According to Check Point Research, Loki malware has even been delivered preinstalled on Android devices. LokiBot is also a Malware-as-a-Service (MaaS) with two distinct versions. Authentic versions are sold in underground markets starting at $300; cracked versions sell for about $80.
In 2020 LokiBot’s boost in activity saw it controlling the largest global botnet, and it was subsequently listed on CISA’s 2021 list of top 11 malware strains.
Targets
Lokibot is a widely used malware variant, especially after its source code was potentially leaked. This means that many cybercrime groups incorporate it and variants of it into their attacks.
With so many groups using it and Lokibot’s wide range of capabilities, it is not targeted at any specific industry or geographic location.
Tools/ Techniques Used
Lokibot is modularized with many components that provide different features to the malware operator. The malware has been known to serve malicious ads to gain revenue and provide backdoor access to infected devices.
However, the primary purpose of Lokibot is to act as an infostealer Once it has infected a device, it will look for applications that store login credentials, such as browsers or email programs, and steal and exfiltrate those credentials to the attacker. Lokibot also includes keylogging functionality, enabling it to capture login credentials as they are entered into the system by the user. LokiBot’s strengths are its versatile and sophisticated delivery and unpacking methods.
During its lifespan, LokiBot has employed various sophisticated multi-stage techniques capable of evading advanced security products to gain initial access and deliver its primary payload.
Indicators
CISA developed the following Snort signature for use in detecting network activity associated with LokiBot activity.
alert tcp any any -> any $HTTP_PORTS (msg:”Lokibot:HTTP URI POST contains ‘/*/fre.php’ post-infection”; flow:established,to_server; flowbits:isnotset,.tagged; content:”/fre.php”; http_uri; fast_pattern:only; urilen:<50,norm; content:”POST”; nocase; http_method; pcre:”/\/(?:alien|loky\d|donep|jemp|lokey|new2|loki|Charles|sev7n|dbwork|scroll\/NW|wrk|job|five\d?|donemy|animation\dkc|love|Masky|v\d|lifetn|Ben)\/fre\.php$/iU”; flowbits:set,.tagged;classtype:http-uri; metadata:service http; metadata:pattern HTTP-P001).
Impact / Significant Attacks
- February 2016: Researchers discovered the LokiBot Android Trojan infecting the core Android operating system processes.
- December 2016: Dr.Web researchers identified a new LokiBot variant targeting Android core libraries.
- March 2017: Check Point discovered LokiBot malware found pre-installed on Android devices.
- May 2017: Fortinet reported malicious actors using a PDF file to spread a new LokiBot variant capable of stealing credentials from more than 100 different software tools.
- October 2017: SfyLabs identified cyber actors using LokiBot as an Android banking trojan that turns into ransomware.
- February 2018: Trend Micro discovered CVE-2017-11882 being exploited in an attack using Windows Installer service to deliver LokiBot malware.
- April 2019: Netskope uncovered a phishing campaign using malicious email attachments with LokiBot malware to create backdoors onto infected Windows systems and steal sensitive information.
- June 2019: Netskope uncovered LokiBot being distributed in a malspam campaign using ISO image file attachments.
- August 2019: Trend Micro researchers reported LokiBot malware source code being hidden in image files spread as attachments in phishing emails.
- August 2019: FortiGuard SE researchers discovered a malspam campaign distributing LokiBot information-stealing payloads in spearphishing attack on a U.S. manufacturing company.
- August 2019: FortiGuard SE researchers discovered a malspam campaign distributing LokiBot information-stealing payloads in spearphishing attack on a U.S. manufacturing company.
- February 2020: Trend Micro identified cyber actors using LokiBot to impersonate a launcher for Fortnite—a popular video game.
