What is Lokibot malware?
Lokibot, also known as Loki-bot or Loki bot, is an information stealer malware that collects credentials from the most widely used web browsers, FTP, email clients, and over a hundred software tools installed on the infected system. It was developed in one of the ex-USSR countries.
It was discovered for the first time on May 3rd, 2015 from a sale announcement made by the creator and the malware is still active to this day.
General description of Lokibot
Initially created and sold by a hacker known as "lokistov," or "Carter,", the first versions of Lokibot spyware used to cost up to $400. However, soon after almost identical malware started appearing on hacker forums, available for as little as $80 from a number of sellers. As it is thought, “lokistov” himself was hacked, and the source code of the virus was leaked, allowing others to use its techniques and sell extremely similar malware.
Curiously, a researcher subsequently found out that the first version of the virus got patched by someone without accessing the source code, which gave the hacker community the ability to set a series of individual domains used to receive the retrieved data.
Even though several versions of the virus exist today, after the analysis, it was found that all of them are actually modifications of the original malware. Interestingly, the server to which Lokibot stealer sends data is unique for every particular malware sample.
In the latest versions of Lokibot, a third stage is added to the process of compromising systems, besides more encryption, a technique to escape detection. Each layer is encrypted to attempt to hide the eventual source of code.
The malware uses the known technique of blurring images in documents to force users to enable macros. This trick infects machines quite successfully.
Lokibot malware analysis
A video displaying the simulation of the contamination process created by the ANY.RUN interactive malware hunting service provides the perfect opportunity for malware analysis to see how the contamination process is unfolding on an infected machine. As shown in the simulation, Lokibot needs email attachments, such as a Microsoft Office file or an archive file to be opened to enter an active phase.
Figure 1: Process graph generated by the ANY.RUN malware hunting service
During the analysis we found out that the malware life cycle can be broken down into the following stages:
- Contamination. The victim downloads a malicious archive or a Microsoft Office file which eventually downloads the malware;
- Being packed initially, the Keylogger unpacks itself and begins the execution of the main payload;
- The virus creates unique loop-functions for each application that it is targeting and saves retrieved data into a buffer;
- Then, a registry key is modified and the Trojan is copied specifically into a folder with a specific name unique name under the %APPDATA% folder. This allows the virus to establish persistence. MachineGuid MD5 is used for the name generation and the name can also be used as a Mutex as well as bot-id. As the last action of this step, the virus generates a registry key that points to the file it copied before to the specific folder inside the %APPDATA% folder;
- Then, depending on if the current user is privileged or not the virus sets persistence either under HKEY_LOCAL_MACHINE or KEY_CURRENT_USER;
- Next, general system information is sent to the C&C server;
- For persistence, the keylogger then applies triple DES encryption technique to the URL and the registry key;
- After this the virus starts waiting for commands from C&C, creating a new thread to detect the C&C response.
How to avoid infection by Lokibot?
Since Lokibot spyware requires macros to be activated to infect the system, attackers will do everything in their power to make the victim enable them. Thus keeping macros turned off is the best bet to stay protected from the Trojan. Particularly, extra caution should be exhibited when a document downloaded from a suspicious source or an unknown email address prompts to enable macros.
Also, having antivirus software from trusted developers and always keeping it updated is a good way to decrease the probability of becoming the malware’s victim and protect credentials. Another good common practice is to be extremely mindful when opening attachments or clicking links in emails from unidentified sources.
Distribution of Lokibot
Lokibot stealer is distributed mostly via mail-spam campaigns, prompting the user to download a malicious file that is attached. Particularly, the three most commonly used types of files are Microsoft Office documents configured to begin the download and installation processes of the malware, archive files that contain a Loki-Bot executable or ISO files, also containing a Loki-Bot executable.
Lokibot execution process
Interactive sandbox simulation conducted on the ANY.RUN malware hunting service allows us to take a closer look at how the execution process of Lokibot unfolds in a case when a contaminated Microsoft Office file is the infection source.
- The simulation starts with opening a Microsoft Office file. Immediately, WINWORD.EXE is executed with enable macros.
- Then, through the exploitation of the CVE-2017-11882 vulnerability, Microsoft Office Equation Editor proceeds to download a malicious executable file;
- Finally, a malicious executable file runs itself and then proceeds to steal the personal data and connect to the C&C server.
Figure 2: Illustrates the execution processes of Lokibot as shown by ANY.RUN simulation
Figure 3: A text report created by ANY.RUN
The virus generates multiple artifacts during its execution process. Particularly, four types of files can be simultaneously stored in the secret %APPDATA% directory at any point in time. Those files can have “.exe,” “.lck,” “.hdb” or “.kdb.” extensions, and each file type is used for a specific purpose:
- .exe files contain an executable copy of the Trojan that triggers when a user logs into an account,
- .lck files are generated to prevent resource conflicts when either Windows Credentials or Keylogging are decrypted,
- .hdb files are used to store the hashes of all data samples already transmitted to the C&C server
- .kdb files are in turn used to hold information about the data that is yet to be sent to the server
Based on the analysis, the keylogger uses the following algorithm to name the files:
- First, Lokibot takes the value of MachineGuid from the registry branch HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Cryptography . In the case of our simulation, it was set to dc5131b5-5fbc-4f85-b1ed-28d4392080ca.
- Then, the virus uses the MD5 algorithm to calculate the hash sum of the MachineGuid which in our case ended up being c83ba0aa282a966263dda560052b3caf.
- Finally, characters from the 8th to the 13th of the resulting hash amount are used as the name of the subdirectory, and the characters from the 13th to the 18th are used as the name of the files.
Lokibot communication with C&C
To communicate with the C&C server, the patched version of the virus which is also the most widely spread strain sends a “ckav.ru” string. Interestingly, the sent data is also is a substring of “fuckav.ru”.
How to detect Lokibot malware using ANY.RUN?
Among other things you can detect either it is Lokibot in front of you or not by looking inside sending packets - there's always text "ckav.ru" inside them. Just click on the sent packet in the "HTTP REQUESTS" tab and take a look inside a packet.
Figure 4: Lokibot network stream
Not lastly due to the fact that the first version of the malware was leaked and cloned, eventually becoming available for a significantly cheaper price than the original, Lokibot spyware became a widely spread malware that is continuing to appear in several mail-spam campaigns. In fact, the virus has become so popular that its set-up explanation videos on stealing credentials are publically available on YouTube.
Fortunately, modern malware hunting tools like ANY.RUN provides the ability to examine the malware behavior in detail and establish solid protection against the hazard.