Lokibot

Lokibot, also known as Loki-bot or Loki bot, is an information stealer malware that collects data from most widely used web browsers, FTP, email clients and over a hundred software tools installed on the infected machine. It was developed in one of the ex-USSR countries.

  • Type
    Stealer
  • Origin
    ex-USSR territory
  • First seen
    3 May, 2015
  • Last seen
    22 November, 2019
Also known as
Loki
LokiPWS
Global rank
2
Week rank
4
Month rank
4
IOCs
7057

What is Lokibot malware?

Lokibot, also known as Loki-bot or Loki bot, is an information stealer malware that collects data from most widely used web browsers, FTP, email clients and over a hundred software tools installed on the infected machine. It was developed in one of the ex-USSR countries.

It was discovered for the first time on May 3rd, 2015 from a sale announcement made by the creator and the malware is still active to this day.

General description of Lokibot

Initially created and sold by a hacker known as "lokistov," or "Carter,", the first versions of Lokibot used to cost up to $400. However, soon after almost identical malware started appearing on hacker forums, available for as little as $80 from a number of sellers. As it is thought, “lokistov” himself was hacked, and the source code of the virus was leaked, allowing others to make and sell extremely similar malware.

Curiously, a researcher subsequently found out that the first version of the virus got patched by someone without accessing the source code, which gave the hacker community the ability to set a series of individual domains used to receive the retrieved data.

Even though several versions of the virus exist today, it was found that all of them are actually modifications of the original malware. Interestingly, the server to which Lokibot sends data is unique for every particular malware sample.

Lokibot malware analysis

A video displaying the simulation of the contamination process created by the ANY.RUN interactive malware hunting service provides the perfect opportunity to see how the contamination process is unfolding on an infected machine. As shown in the simulation, Lokibot needs email attachments, such as a Microsoft Office file or an archive file to be opened in order to enter an active phase.

process graph of lokibot stealer execution Figure 1: Process graph generated by the ANY.RUN malware hunting service

The malware life cycle can be broken down to the following stages:

  • Contamination. The victim downloads an infected archive or a Microsoft Office file which eventually downloads the malware;
  • Being packed initially, the Keylogger unpacks itself and begins the execution of the main payload;
  • The virus creates unique loop-functions for each application that it is targeting and saves retrieved data into a buffer;
  • Then, a registry key is modified and the Trojan is copied specifically into a folder with a specific name unique name under %APPDATA% folder. This allows the virus to establish persistence. MachineGuid MD5 is used for the name generation and the name can also be used as a Mutex as well as bot-id. As the last action of this step, the virus generates a registry key that points to the file it copied before to the specific folder inside the %APPDATA% folder;
  • Then, depending if the current user is privileged or not the virus sets persistence either under HKEY_LOCAL_MACHINE or KEY_CURRENT_USER;
  • Next, general system information is sent to the C&C server;
  • For persistence, the keylogger then applies triple DES encryption to the URL and the registry key;
  • After this the virus starts waiting for commands from C&C, creating a new thread to detect the C&C response.

How to avoid infection by Lokibot?

Since Lokibot requires macros to be activated to infect the system, attackers will do everything in their power to make the victim enable them. Thus keeping macros turned off is the best bet to stay protected from the Trojan. Particularly, extra caution should be exhibited when a document downloaded from a suspicious source or an unknown email address prompts to enable macros.

In addition, having antivirus software from trusted developers and always keeping it updated is a good way to decrease the probability of becoming the malware’s victim. Another good common practice is to be extremely mindful when opening attachments or clicking links in emails from unidentified sources.

Distribution of Lokibot

Lokibot is distributed mostly via mail-spam campaigns, prompting the user to download an infected file that is attached. Particularly, the three most commonly used types of files are Microsoft Office documents configured to begin the download and installation processes of the malware, archive files that contain a Loki-Bot executable or ISO files, also containing a Loki-Bot executable.

Lokibot execution process

Interactive sandbox simulation conducted on the ANY.RUN malware hunting service allows us to take a closer look at how the execution process of Lokibot unfolds in a case when a contaminated Microsoft Office file is the infection source.

  • The simulation starts with opening a Microsoft Office file. Immediately, WINWORD.EXE is executed with enable macros.
  • Then, through the exploitation of the CVE-2017-11882 vulnerability, Microsoft Office Equation Editor proceeds to download a malicious executable file;
  • Finally, a malicious executable file runs itself and then proceeds to steal the personal data and connect to the C&C server.

process tree of a lokibot stealer execution Figure 2: Illustrates the execution processes of Lokibot as shown by ANY.RUN simulation

a text report of a lokibot analysis Figure 3: A text report created by ANY.RUN

The virus generates multiple artifacts during its execution process. Particularly, four types of files can be simultaneously stored in the secret %APPDATA% directory at any point in time. Those files can have a “.exe,” “.lck,” “.hdb” or a “.kdb.” extensions and each file type is used for a specific purpose:

  • .exe files contain an executable copy of the Trojan that triggers when a user logs into an account,
  • .lck files are generated in order to prevent resource conflicts when either Windows Credentials or Keylogging are decrypted,
  • .hdb files are used to store the hashes of all data samples already transmitted to the C&C server
  • .kdb files are in turn used to hold information about the data that is yet to be sent to the server

The keylogger uses the following algorithm to name the files:

  1. First, Lokibot takes the value of MachineGuid from the registry branch HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Cryptography . In the case of our simulation, it was set to dc5131b5-5fbc-4f85-b1ed-28d4392080ca.

lokibot mutex creation GUID registry

  1. Then, the virus uses the MD5 algorithm to calculate the hash sum of the MachineGuid which in our case ended up being c83ba0aa282a966263dda560052b3caf.

lokibot mutex creation md5

  1. Finally, characters from the 8th to the 13th of the resulting hash amount are used as the name of the subdirectory, and the characters from the 13th to the 18th are used as the name of the files.

lokibot mutex creation

Communication with C&C

To communicate with the C&C server, the patched version of the virus which is also the most widely spread strain sends a “ckav.ru” string. Interestingly, the sent data is also is a substring of “fuckav.ru”.

How to detect Lokibot using ANY.RUN?

Among other things you can detect either it is Lokibot in front of you or not by looking inside sending packets - there's always text "ckav.ru" inside them.Just click on the sent packet in "HTTP REQUESTS" tab and take a look inside a packet.

lokibot network stream Figure 4: Lokibot network stream

Conclusion

Not lastly due to the fact that the first version of the malware was leaked and cloned, eventually becoming available for a significantly cheaper price than the original, Lokibot became a widely spread malware that is continuing to appear in several mail-spam campaigns. In fact, the virus has become so popular that it’s set-up explanation videos are publically available on YouTube.

Fortunately, modern malware hunting tools like ANY.RUN provides the ability to examine the malware behavior in detail and establish solid protection against the hazard.

IOCs

IP addresses
45.252.248.29
185.53.179.29
50.63.202.68
192.254.235.39
192.124.249.18
104.168.65.2
104.168.65.2
173.239.8.164
104.28.28.85
5.101.152.144
104.27.142.212
54.93.177.193
8.208.21.228
149.255.62.31
85.187.128.8
104.18.43.84
111.118.212.120
107.180.21.237
162.241.148.12
162.221.190.147
Hashes
eac5b5888adcd939bf9e635043bdf34cd2f26e29e847a7272058a7aac283ec7d
99f4bbf763a2b797fd11c8c03076fb107451c0d37dc78af1b633c94ce12ddfb0
16a94d5de704b8166684143480c0c93c522751eba3acc8a79d468d0e7b579a9e
31f4d0b4b4eadfaa8f182426602d873c98898194bf4e1f3198fcf2f622778de0
f885e3edc8bac2002780fda186338ec340644c158e6bb92df5b4e7c816ab3304
846719643821a07c020fdc255329c59c810d6e630ded6c3d9c896ed0558cf89c
7e193dc9e002bb04ddba228e0ca7d3b3c4e4a3977c1bc8d7dae9c94851ac0b89
35ed04364daa9a21e306204ea27f1d7186248a8ab6bbc03ab202fb8d6f998a05
d3e29b15ea900cde8c8eb913f3f3b4055b835066e38639e42cd9abf10805ffb6
6de595ed023bb40e40fde2e3f89799fd49814d857c468aba554862566e3e070d
0a9252097be1a7f80972df34f17131f730be8ffec52e41f449bea78a0ad6afe6
65bcc7f82e35bcc6c4b297ec7eae49391975a6f613dbfbdb088970f389bae373
b0415879d4863223df9fc1d242cf1e23f7d805d81eaa736eb550645034060342
ff4800c4bd225004d663bbcd47f3a24fcd4f5c18646d125d5e11e312d829887b
af9a8e88933950f68f2509d4537b301ced43504f6595d660cc14ec09ebcd045d
d680ee07f08dd46b35165988ff94cf6a6353a537967e4fbf2a62fc14a85246f6
4205862a57408342582b438d5d276fd2edafee09359cbdef335199232b9fa48a
b3ad6ff678633a72e499b202494737c31d40bdb61b748b2c956c1be752d6ed30
b5bb1d5f3aa9f09ecee4b8a147ce1b77d635fdef766929aef9834101b1648fda
88d82b6d8205f4d0b110843f2446f26476104c6cbacb2c224f7ebff06c3e0cbe
Domains
cuahangcodoc.com
chotiennghi.com
bachthaoduoc.vn
botvchannel.com
aricadecor.com
vitinhhaidang.com
vitinhhaidang.com
bachhoagame.com
beenchem.com
caygionghocviennongnghiep1.com
audiosv.com
timnhakhoa.com
dangkivayvon.com
majul.com
gidiestetigi.info
ip-50-63-202-68.ip.secureserver.net
www.jewelryisaqe.info
www.1158nn.com
bonusexpo.info
www.tangomarketingsolutions.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More