Lokibot

Lokibot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Type
Stealer
Origin
ex-USSR territory
First seen
3 May, 2015
Last seen
17 January, 2020
Also known as
Loki
LokiPWS
Global rank
3
Week rank
3
Month rank
3
IOCs
8691

What is Lokibot malware?

Lokibot, also known as Loki-bot or Loki bot, is an information stealer malware that collects data from most widely used web browsers, FTP, email clients and over a hundred software tools installed on the infected machine. It was developed in one of the ex-USSR countries.

It was discovered for the first time on May 3rd, 2015 from a sale announcement made by the creator and the malware is still active to this day.

General description of Lokibot

Initially created and sold by a hacker known as "lokistov," or "Carter,", the first versions of Lokibot spyware used to cost up to $400. However, soon after almost identical malware started appearing on hacker forums, available for as little as $80 from a number of sellers. As it is thought, “lokistov” himself was hacked, and the source code of the virus was leaked, allowing others to make and sell extremely similar malware.

Curiously, a researcher subsequently found out that the first version of the virus got patched by someone without accessing the source code, which gave the hacker community the ability to set a series of individual domains used to receive the retrieved data.

Even though several versions of the virus exist today, it was found that all of them are actually modifications of the original malware. Interestingly, the server to which Lokibot stealer sends data is unique for every particular malware sample.

Lokibot malware analysis

A video displaying the simulation of the contamination process created by the ANY.RUN interactive malware hunting service provides the perfect opportunity to see how the contamination process is unfolding on an infected machine. As shown in the simulation, Lokibot needs email attachments, such as a Microsoft Office file or an archive file to be opened in order to enter an active phase.

process graph of lokibot stealer execution Figure 1: Process graph generated by the ANY.RUN malware hunting service

The malware life cycle can be broken down to the following stages:

  • Contamination. The victim downloads an infected archive or a Microsoft Office file which eventually downloads the malware;
  • Being packed initially, the Keylogger unpacks itself and begins the execution of the main payload;
  • The virus creates unique loop-functions for each application that it is targeting and saves retrieved data into a buffer;
  • Then, a registry key is modified and the Trojan is copied specifically into a folder with a specific name unique name under %APPDATA% folder. This allows the virus to establish persistence. MachineGuid MD5 is used for the name generation and the name can also be used as a Mutex as well as bot-id. As the last action of this step, the virus generates a registry key that points to the file it copied before to the specific folder inside the %APPDATA% folder;
  • Then, depending if the current user is privileged or not the virus sets persistence either under HKEY_LOCAL_MACHINE or KEY_CURRENT_USER;
  • Next, general system information is sent to the C&C server;
  • For persistence, the keylogger then applies triple DES encryption to the URL and the registry key;
  • After this the virus starts waiting for commands from C&C, creating a new thread to detect the C&C response.

How to avoid infection by Lokibot?

Since Lokibot spyware requires macros to be activated to infect the system, attackers will do everything in their power to make the victim enable them. Thus keeping macros turned off is the best bet to stay protected from the Trojan. Particularly, extra caution should be exhibited when a document downloaded from a suspicious source or an unknown email address prompts to enable macros.

In addition, having antivirus software from trusted developers and always keeping it updated is a good way to decrease the probability of becoming the malware’s victim. Another good common practice is to be extremely mindful when opening attachments or clicking links in emails from unidentified sources.

Distribution of Lokibot

Lokibot stealer is distributed mostly via mail-spam campaigns, prompting the user to download an infected file that is attached. Particularly, the three most commonly used types of files are Microsoft Office documents configured to begin the download and installation processes of the malware, archive files that contain a Loki-Bot executable or ISO files, also containing a Loki-Bot executable.

Lokibot execution process

Interactive sandbox simulation conducted on the ANY.RUN malware hunting service allows us to take a closer look at how the execution process of Lokibot unfolds in a case when a contaminated Microsoft Office file is the infection source.

  • The simulation starts with opening a Microsoft Office file. Immediately, WINWORD.EXE is executed with enable macros.
  • Then, through the exploitation of the CVE-2017-11882 vulnerability, Microsoft Office Equation Editor proceeds to download a malicious executable file;
  • Finally, a malicious executable file runs itself and then proceeds to steal the personal data and connect to the C&C server.

process tree of a lokibot stealer execution Figure 2: Illustrates the execution processes of Lokibot as shown by ANY.RUN simulation

a text report of a lokibot analysis Figure 3: A text report created by ANY.RUN

The virus generates multiple artifacts during its execution process. Particularly, four types of files can be simultaneously stored in the secret %APPDATA% directory at any point in time. Those files can have a “.exe,” “.lck,” “.hdb” or a “.kdb.” extensions and each file type is used for a specific purpose:

  • .exe files contain an executable copy of the Trojan that triggers when a user logs into an account,
  • .lck files are generated in order to prevent resource conflicts when either Windows Credentials or Keylogging are decrypted,
  • .hdb files are used to store the hashes of all data samples already transmitted to the C&C server
  • .kdb files are in turn used to hold information about the data that is yet to be sent to the server

The keylogger uses the following algorithm to name the files:

  1. First, Lokibot takes the value of MachineGuid from the registry branch HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Cryptography . In the case of our simulation, it was set to dc5131b5-5fbc-4f85-b1ed-28d4392080ca.

lokibot mutex creation GUID registry

  1. Then, the virus uses the MD5 algorithm to calculate the hash sum of the MachineGuid which in our case ended up being c83ba0aa282a966263dda560052b3caf.

lokibot mutex creation md5

  1. Finally, characters from the 8th to the 13th of the resulting hash amount are used as the name of the subdirectory, and the characters from the 13th to the 18th are used as the name of the files.

lokibot mutex creation

Communication with C&C

To communicate with the C&C server, the patched version of the virus which is also the most widely spread strain sends a “ckav.ru” string. Interestingly, the sent data is also is a substring of “fuckav.ru”.

How to detect Lokibot using ANY.RUN?

Among other things you can detect either it is Lokibot in front of you or not by looking inside sending packets - there's always text "ckav.ru" inside them.Just click on the sent packet in "HTTP REQUESTS" tab and take a look inside a packet.

lokibot network stream Figure 4: Lokibot network stream

Conclusion

Not lastly due to the fact that the first version of the malware was leaked and cloned, eventually becoming available for a significantly cheaper price than the original, Lokibot spyware became a widely spread malware that is continuing to appear in several mail-spam campaigns. In fact, the virus has become so popular that it’s set-up explanation videos are publically available on YouTube.

Fortunately, modern malware hunting tools like ANY.RUN provides the ability to examine the malware behavior in detail and establish solid protection against the hazard.

IOCs

IP addresses
185.53.179.29
204.11.56.48
208.91.198.220
111.118.212.120
208.91.199.152
68.183.42.186
192.169.69.25
104.31.92.131
104.24.124.73
37.251.150.197
173.239.8.164
104.18.57.188
107.175.150.73
104.28.28.215
162.210.96.127
51.15.58.181
82.221.129.19
103.74.123.3
18.219.39.130
104.28.26.97
Hashes
c9b00837ed7902c021a572e32588caa410d8980e5a2a505f0ec756b2954564d3
15018d0093befabba8b927743191030d1f8c17bb97fdb48c2fc3eab20e2d4b3d
60fe25cf7da71bf49f6b9b1d5473db027878a33d97158a7f9f8302a08a5de534
e9ea47e0a5721b87e8bc857f1b2589086abfb3d31461a52fe9f7251e22930d7e
643693da0945c396727ac7bcbe8620555f7f819504c553c7de36f6ccd45d4f79
29f4955e8b756287e4a4b37872b8fef347c23749869d0a42e71512051fe6f0ac
9a9f4939094237f6ce89224d5324a9a7466b6614153424d2d7e97854a6dd6af1
7183cd68a39c75da9434746b4a1721a5088903a0019ec8fd600bafa24e596898
bb9c5269c6275ffaee9d241ac2a3efc1e5cd1c851aeea7527e542fada53c4a23
d07a5774b2d79be478b30d363544ce882a5a02442dcb1646d4ea1ed049f5f2b1
fa55f345c96c294bda60cf536286119da76ef1ebd67def597ad213a3f70b1f85
dc37c2536d1a167150ecd7bd5bc07174dfbb0ca0d44933076d55ed43e355f6df
d4d4cb90a9f97f0d8aae9652b232a882893d74cb38e0ebf19e66cf2731736388
b4e32ebc08ba8e7e2d952e7baeadddd971b5f6357066ba64d1a69c02daaa33ad
32f1149558dc0a5e492f84dc3a323115fbabdeee16ad1946414c73cb3b6f0efb
0b1fca93ceafcc98b2aa38a3f5c434593ae9b917f0dd0d8208b5d06eb2bfbd6d
a42f0caf4e68a790e63e1bf39e5f310fd9475707397065e9427bed9c701974cc
0ff7a0b0a4b504e531367e5f25fc764d5dbb70a06bd609e0a75f22d0a35b80ea
4a7eed334a35437c26d763ea04e855c2aa2e52be8e10e09675fe266d924984f1
09764d712d656665774f003c91b959e5929e72d3fe60302e7099f33636022464
Domains
madmax.stuffpicks.com
stats.stuffpicks.com
parkingcrew.net
www.masajkoltugum.com
www.bonesinbroth.com
supercsync.com
ayc0zsm69431gfebd.xyz
www.alpineplumbinginc.com
qxq.ddns.net
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
isns.net
bh-25.webhostbox.net
beautynams.com
duckdns4.duckdns.org
salesxpert.duckdns.org
ipvhosted.duckdns.org
gemalto.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More