LokiBot

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Type
Stealer
Origin
ex-USSR territory
First seen
3 May, 2015
Last seen
5 October, 2022
Also known as
Loki
LokiPWS
Global rank
6
Week rank
10
Month rank
8
IOCs
23927

What is LokiBot malware?

LokiBot, also known as Loki-bot or Loki bot, is an information stealer malware that collects credentials from the most widely used web browsers, FTP, email clients, and over a hundred software tools installed on the infected system. It was developed in one of the ex-USSR countries.

The trojan was discovered for the first time on May 3rd, 2015, from a sale announcement made by the creator, and the malware is still active to this day.

General description of LokiBot

Initially created and sold by a hacker known as "lokistov" or "Carter," the first versions of LokiBot spyware used to cost up to $400. However, almost identical malware appeared on hacker forums soon after, available for as little as $80 from several sellers. As it is thought, "lokistov" himself was hacked, and the virus's source code was leaked, allowing others to use its techniques and sell remarkably similar malware.

Curiously, a researcher subsequently found out that the first version of the virus got patched by someone without accessing the source code, which gave the hacker community the ability to set a series of individual domains used to receive the retrieved data.

Even though several versions of the virus exist today, after the analysis, it was found that all of them are actually modifications of the original malware. Interestingly, the server to which LokiBot stealer sends data is unique for every particular malware sample.

In the latest versions of LokiBot, a third stage is added to the process of compromising systems, besides more encryption, a technique to escape detection. Each layer of the trojan is encrypted to attempt to hide the eventual source of code.

The malware uses the known technique of blurring images in documents to force users to enable macros. This trick infects machines quite successfully.

LokiBot malware analysis

A video displaying the simulation of the contamination process created by the ANY.RUN interactive malware hunting service provides the perfect opportunity for malware analysis to see how the contamination process unfolds on an infected machine. As shown in the simulation, LokiBot trojan needs email attachments, such as a Microsoft Office file or an archive file to be opened to enter an active phase.

process graph of lokibot stealer execution Figure 1: Process graph generated by the ANY.RUN malware hunting service

During the analysis, we found out that the malware life cycle can be broken down into the following stages:

  • Contamination. The victim downloads a malicious archive or a Microsoft Office file which eventually downloads the malware;
  • Being packed initially, the keylogger unpacks itself and begins the execution of the main payload;
  • The virus creates unique loop-functions for each application that it is targeting and saves retrieved data into a buffer;
  • Then, a registry key is modified, and the trojan is explicitly copied into a folder with a specific name unique name under the %APPDATA% folder. This allows the virus to establish persistence. MachineGuid MD5 is used for the name generation, and the name can also be used as a Mutex as well as bot-id. As the last action of this step, the virus generates a registry key that points to the file it copied before to the specific folder inside the %APPDATA% folder;
  • Then, depending on if the current user is privileged or not, the virus sets persistence either under HKEY_LOCAL_MACHINE or KEY_CURRENT_USER;
  • Next, general system information is sent to the C&C server;
  • For persistence, the keylogger then applies the triple-DES encryption technique to the URL and the registry key;
  • After this, the virus starts waiting for commands from C&C, creating a new thread to detect the C&C response.

How to avoid infection by LokiBot virus?

Since LokiBot spyware requires macros to be activated to infect the system, attackers will do everything in their power to make the victim enable them. Thus keeping macros turned off is the best bet to stay protected from the trojan. Notably, extra caution should be exhibited when a document downloaded from a suspicious source or an unknown email address prompts to enable macros.

Also, having antivirus software from trusted developers and keeping it updated is an excellent way to decrease the probability of becoming the malware's victim and protecting credentials. Another good common practice is to be highly mindful when opening attachments or clicking links in emails from unidentified sources as it's a popular method of malware spreading, including FormBook and Dridex.

Distribution of LokiBot

LokiBot stealer is distributed mostly via mail-spam campaigns, prompting the user to download a malicious file that is attached. Remarkably, the three most commonly used types of files are Microsoft Office documents configured to begin the download and installation processes of the malware, archive files containing a Loki-Bot executable or ISO files, and a Loki-Bot executable.

LokiBot execution process

Interactive sandbox simulation conducted on the ANY.RUN malware hunting service allows us to take a closer look at how the execution process of LokiBot unfolds in a case when a contaminated Microsoft Office file is the infection source.

  • The simulation starts with opening a Microsoft Office file. Immediately, WINWORD.EXE is executed with enable macros.
  • Then, through the exploitation of the CVE-2017-11882 vulnerability, Microsoft Office Equation Editor proceeds to download a malicious executable file;
  • Finally, a malicious executable file runs itself and then proceeds to steal the personal data and connect to the C&C server.

process tree of a lokibot stealer execution Figure 2: Illustrates the execution processes of LokiBot as shown by ANY.RUN simulation

a text report of a lokibot analysis Figure 3: A text report created by ANY.RUN

The virus generates multiple artifacts during its execution process. Particularly, four types of files can be simultaneously stored in the secret %APPDATA% directory at any point in time. Those files can have ".exe," ".lck," ".hdb" or ".kdb." extensions, and each file type is used for a specific purpose:

  • .exe files contain an executable copy of the trojan that triggers when a user logs into an account,
  • .lck files are generated to prevent resource conflicts when either Windows Credentials or Keylogging are decrypted,
  • .hdb files are used to store the hashes of all data samples already transmitted to the C&C server
  • .kdb files are in turn used to hold information about the data that is yet to be sent to the server

Based on the analysis, the keylogger uses the following algorithm to name the files:

  1. First, LokiBot takes the value of MachineGuid from the registry branch HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Cryptography . In the case of our simulation, it was set to dc5131b5-5fbc-4f85-b1ed-28d4392080ca.

lokibot mutex creation GUID registry

  1. Then, the virus uses the MD5 algorithm to calculate the hash sum of the MachineGuid, which in our case ended up being c83ba0aa282a966263dda560052b3caf.

lokibot mutex creation md5

  1. Finally, characters from the 8th to the 13th of the resulting hash amount are used as the subdirectory's name, and the characters from the 13th to the 18th are used as the name of the files.

lokibot mutex creation

LokiBot communication with C&C

To communicate with the C&C server, the patched version of the virus, which is also the most widely spread strain, sends a "ckav.ru" string. Interestingly, the sent data is also is a substring of "fuckav.ru."

How to detect LokiBot malware using ANY.RUN?

Among other things, you can detect whether it is LokiBot in front of you or not by looking inside sending packets - there's always text "ckav.ru" inside them. Just click on the sent packet in the "HTTP REQUESTS" tab and take a look inside a packet.

lokibot network stream Figure 4: Lokibot network stream

Conclusion

Lastly, since the first version of the malware was leaked and cloned, eventually becoming available for a significantly lower price than the original, LokiBot spyware became a widely spread malware that continues to appear in several mail-spam campaigns. In fact, the virus has become so popular that its set-up explanation videos on stealing credentials are publically available on YouTube.

Fortunately, modern malware hunting tools like ANY.RUN provides the ability to examine the malware behavior in detail and establish solid protection against the hazard.

IOCs

IP addresses
210.245.8.133
212.1.211.48
172.67.179.121
23.253.46.64
31.170.160.61
162.241.3.30
172.67.206.17
204.93.178.31
216.10.240.90
212.108.234.94
172.67.214.235
50.31.174.86
104.18.32.77
103.199.16.121
72.52.238.62
185.80.130.205
185.14.29.199
104.18.41.63
148.66.136.188
68.66.248.9
Hashes
676ee7a91a1b41c3fa8f2ab8ea445a34f969de6666ef3b0250e4bf72aadc7320
7747b7ca47638f19207b66b6b3dfb7f2ac099c527398ca12e4b9cfb8a91218ae
3d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14
3097ef71e54843944f47d89ca4e5563bcb3a045d1c065f5cf4432dc0dbda70a4
c201333fad1225eac836fad58bc37e183f272e0cf4a62d5754868097560dbc47
da96430ff4368b74d790869a686744a6da1e5422e5c610eef4a155f609ff041c
ebe88f785d0574a69f157908e69a1f10286724f4dd358619c026712043fb23e7
e37f679e4ff8a85cd1cc2b7f26b9be0d1718068cd5fb0a4163942571a5af28b9
6bd5bbea9b02d99f157e191dbdfe2d772498c3443496738e2c8d92a9617a099e
8256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469
fe1b1bebb008a8664018f8bf9b4a6b13941f4d357c89f3b36c97225b38cb87e0
3462fa9634ad9ada7c6d07f2b48138fba9326e4771843da8a11a33bb618f265a
8e8db2f4e243b2a131584bab586e5a28b610f93a62ca3b5b9ab91cd9d9c78597
b52caedea6346141b5c469c02ececbd7ed08ea9b04ceef80dac35c6cae4e946e
132b2bec8d938eeff8eaa559349a7a2a272a957fef0e4f3e9bcb4241eadf7e68
cdc946dc0460c4d655a8589e0428a128a889a0ef40741eec2d17398c9a55e9f3
e4dbdbf7888ea96f3f8aa5c4c7f2bcf6e57d724dd8194fe5f35b673c6ef724ea
a2c8da15bb671e4122238011b32c056de465a37ac51b4a5859f89d0c55f8c838
ee79218108b5cf72de7f693a215decf0ef104d7bfe61527aa9a4d0b2c38faf52
72bf301c8a8486fb02c1dd1567326282c99048b3ed122040ce4718c47c4d6cc2
Domains
becharnise.ir
millsmiltinon.com
blesblochem.com
office-archive-index.com
vladisfoxlink.ru
officeupgrade.org
nemty10.hk
grab-indonesia.com
liveupdates2000.com
broomingkingpoiuty.tk
activeterroristwarningcompany.com
mahikuchen.com
epsondriversforwindows.com
pool.ug
www.gaffney-krroese.com
lauramillet.ru
ekonomca.co
linksysdatakeys.se
decvit.ga
jelimold.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More