BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
8
Global rank
19 infographic chevron month
Month rank
14 infographic chevron week
Week rank
2058
IOCs

LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.

Stealer
Type
ex-USSR territory
Origin
3 May, 2015
First seen
17 July, 2024
Last seen
Also known as
Loki
LokiPWS

How to analyze LokiBot with ANY.RUN

Type
ex-USSR territory
Origin
3 May, 2015
First seen
17 July, 2024
Last seen

IOCs

IP addresses
178.159.39.36
Hashes
b6219cebfd6180b0278dc07062893751f3e9c056a23b0b876b2752513cc4a1a5
d9da91e8f10fb3e0eb5548180617c6129c5e5c398400fa7a963a1713cb4eb591
b84fb2b35829e25b9f3e5fb31e2cd3359009f1d04e719653eaa8c1437e3625f7
f340bf91627787a2770c897aa9555bb82382cdcc2232904b5707238ab0a85e39
e3e6d851f1598eb145492e46d7431f72436178f1a60ebc4d6742839e12d52200
29fb5b111ae1c20a4b6a0e74b8df0748b1ccea58aa9d07a80f0bd1bb4577db56
af4bdead217cfc83478637fe18f218c3eee2f6e7c0005f0cde43cd7af1031114
8615a11492e27f4a2d4b3028ef8a94f179d7e4b2f8d81f3088172378db2e9df2
9a8a979e60fda73cadd6c9e5c879ef8f5987e8447907fee02060b397daf3f0b0
fcb0cbb8ef581523f208c4e0e86f6914364c5d747c8039547344ee85210066d6
59bfe87a4f70ad80b96e5d135d9688324b18009f800b7001c6efa116fb780d2f
3c55595857f8c19385e8e5ad4732797a409c113e2c6be94dba3a143c2dc4415c
69efd675ee6737f614a8ea14f4b125b25c9b3d80ab901d2dd0024837e0e5ac29
70a8411f742d339d6af92b960c43c2adf6334f53d47026c6de52c0dffac619af
52a13a4d61a25202abe50d85c42d4b3aac7e364af1100233c28cf06e4598882e
b9fe647644c43befe84ec7048a0123c3c1d68196e74c80e78180b8f49b48fc25
dfc61d9050a1f2e6992f9a14013205a14958db780755320c2932ed57eb46512f
7de41879a47b6376ca77af402221e7d559437a2679e9322ed31453b2c476c683
193314526f9742a532ee1f3c293064edf84caf372ca584cf059b0d3fbd0b6196
95934ccfa95253459a4caa462ebcb4435c27ef7ce1d3a7aa4c8d6ddea9806938
URLs
http://45.61.136.20/index.php/ygy
http://secure01-redirect.net/gc5/fre.php
http://104.248.205.66/index.php/wp
http://104.248.205.66/index.php/pages
http://104.248.205.66/index.php/file.php
http://verose.top/alpha/five/fre.php
http://104.248.205.66/index.php/61226985438917786
http://104.248.205.66/index.php/modify.php
http://naourl.com/data/five/fre.php
http://kinltd.top/evie1/five/fre.php
http://dashboardproducts.info/bally/fre.php
http://samsunglimited.top/evie4/five/fre.php
http://gitak.top/evie2/five/fre.php
http://stema-it.cfd/Lchost/PWS/fre.php
http://lidgeys.ru/buch-l/fred.php
http://vicesstudios.ru/frank/five/fre.php
http://45.61.136.239/index.php/gyr.php
http://andrebadi.top/ugopounds/five/fre.php
http://45.61.136.239/index.php/54596186971079
http://45.61.136.239/index.php/posts.php
Last Seen at

Recent blog posts

post image
What Are the 3 Types of Threat Intelligence D...
watchers 148
comments 0
post image
Expert Q&A: Aaron Fillmore on his Cyberse...
watchers 158
comments 0
post image
Malware Trends Report: Q2, 2024 
watchers 1628
comments 0

What is LokiBot malware?

LokiBot, also known as Loki-bot or Loki bot, is an information stealer malware that collects credentials from the most widely used web browsers, FTP, email clients, and over a hundred software tools installed on the infected system. It was developed in one of the ex-USSR countries.

The trojan was discovered for the first time on May 3rd, 2015, from a sale announcement made by the creator, and the malware is still active to this day.

General description of LokiBot

Initially created and sold by a hacker known as "lokistov" or "Carter," the first versions of LokiBot spyware used to cost up to $400. However, almost identical malware appeared on hacker forums soon after, available for as little as $80 from several sellers. As it is thought, "lokistov" himself was hacked, and the virus's source code was leaked, allowing others to use its techniques and sell remarkably similar malware.

Curiously, a researcher subsequently found out that the first version of the virus got patched by someone without accessing the source code, which gave the hacker community the ability to set a series of individual domains used to receive the retrieved data.

Even though several versions of the virus exist today, after the analysis, it was found that all of them are actually modifications of the original malware. Interestingly, the server to which LokiBot stealer sends data is unique for every particular malware sample.

In the latest versions of LokiBot, a third stage is added to the process of compromising systems, besides more encryption, a technique to escape detection. Each layer of the trojan is encrypted to attempt to hide the eventual source of code.

The malware uses the known technique of blurring images in documents to force users to enable macros. This trick infects machines quite successfully.

LokiBot malware analysis

A video displaying the simulation of the contamination process created by the ANY.RUN interactive malware hunting service provides the perfect opportunity for malware analysis to see how the contamination process unfolds on an infected machine. As shown in the simulation, LokiBot trojan needs email attachments, such as a Microsoft Office file or an archive file to be opened to enter an active phase.

process graph of lokibot stealer execution Figure 1: Process graph generated by the ANY.RUN malware hunting service

During the analysis, we found out that the malware life cycle can be broken down into the following stages:

  • Contamination. The victim downloads a malicious archive or a Microsoft Office file which eventually downloads the malware;
  • Being packed initially, the keylogger unpacks itself and begins the execution of the main payload;
  • The virus creates unique loop-functions for each application that it is targeting and saves retrieved data into a buffer;
  • Then, a registry key is modified, and the trojan is explicitly copied into a folder with a specific name unique name under the %APPDATA% folder. This allows the virus to establish persistence. MachineGuid MD5 is used for the name generation, and the name can also be used as a Mutex as well as bot-id. As the last action of this step, the virus generates a registry key that points to the file it copied before to the specific folder inside the %APPDATA% folder;
  • Then, depending on if the current user is privileged or not, the virus sets persistence either under HKEY_LOCAL_MACHINE or KEY_CURRENT_USER;
  • Next, general system information is sent to the C&C server;
  • For persistence, the keylogger then applies the triple-DES encryption technique to the URL and the registry key;
  • After this, the virus starts waiting for commands from C&C, creating a new thread to detect the C&C response.

How to avoid infection by LokiBot virus?

Since LokiBot spyware requires macros to be activated to infect the system, attackers will do everything in their power to make the victim enable them. Thus keeping macros turned off is the best bet to stay protected from the trojan. Notably, extra caution should be exhibited when a document downloaded from a suspicious source or an unknown email address prompts to enable macros.

Also, having antivirus software from trusted developers and keeping it updated is an excellent way to decrease the probability of becoming the malware's victim and protecting credentials. Another good common practice is to be highly mindful when opening attachments or clicking links in emails from unidentified sources as it's a popular method of malware spreading, including FormBook and Dridex.

Distribution of LokiBot

LokiBot stealer is distributed mostly via mail-spam campaigns, prompting the user to download a malicious file that is attached. Remarkably, the three most commonly used types of files are Microsoft Office documents configured to begin the download and installation processes of the malware, archive files containing a Loki-Bot executable or ISO files, and a Loki-Bot executable.

LokiBot execution process

Interactive sandbox simulation conducted on the ANY.RUN malware hunting service allows us to take a closer look at how the execution process of LokiBot unfolds in a case when a contaminated Microsoft Office file is the infection source.

  • The simulation starts with opening a Microsoft Office file. Immediately, WINWORD.EXE is executed with enable macros.
  • Then, through the exploitation of the CVE-2017-11882 vulnerability, Microsoft Office Equation Editor proceeds to download a malicious executable file;
  • Finally, a malicious executable file runs itself and then proceeds to steal the personal data and connect to the C&C server.

process tree of a lokibot stealer execution Figure 2: Illustrates the execution processes of LokiBot as shown by ANY.RUN simulation

a text report of a lokibot analysis Figure 3: A text report created by ANY.RUN

The virus generates multiple artifacts during its execution process. Particularly, four types of files can be simultaneously stored in the secret %APPDATA% directory at any point in time. Those files can have ".exe," ".lck," ".hdb" or ".kdb." extensions, and each file type is used for a specific purpose:

  • .exe files contain an executable copy of the trojan that triggers when a user logs into an account,
  • .lck files are generated to prevent resource conflicts when either Windows Credentials or Keylogging are decrypted,
  • .hdb files are used to store the hashes of all data samples already transmitted to the C&C server
  • .kdb files are in turn used to hold information about the data that is yet to be sent to the server

Based on the analysis, the keylogger uses the following algorithm to name the files:

  1. First, LokiBot takes the value of MachineGuid from the registry branch HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Cryptography . In the case of our simulation, it was set to dc5131b5-5fbc-4f85-b1ed-28d4392080ca.

lokibot mutex creation GUID registry

  1. Then, the virus uses the MD5 algorithm to calculate the hash sum of the MachineGuid, which in our case ended up being c83ba0aa282a966263dda560052b3caf.

lokibot mutex creation md5

  1. Finally, characters from the 8th to the 13th of the resulting hash amount are used as the subdirectory's name, and the characters from the 13th to the 18th are used as the name of the files.

lokibot mutex creation

LokiBot communication with C&C

To communicate with the C&C server, the patched version of the virus, which is also the most widely spread strain, sends a "ckav.ru" string. Interestingly, the sent data is also is a substring of "fuckav.ru."

How to detect LokiBot malware using ANY.RUN?

Among other things, you can detect whether it is LokiBot in front of you or not by looking inside sending packets - there's always text "ckav.ru" inside them. Just click on the sent packet in the "HTTP REQUESTS" tab and take a look inside a packet.

lokibot network stream Figure 4: Lokibot network stream

Conclusion

Lastly, since the first version of the malware was leaked and cloned, eventually becoming available for a significantly lower price than the original, LokiBot spyware became a widely spread malware that continues to appear in several mail-spam campaigns. In fact, the virus has become so popular that its set-up explanation videos on stealing credentials are publically available on YouTube.

Fortunately, modern malware hunting tools like ANY.RUN provides the ability to examine the malware behavior in detail and establish solid protection against the hazard.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy