LokiBot, dubbed Loki, is an infostealer malware strain and a keylogger that steals passwords, credentials and other information from web browsers, applications, and FTP and email clients. Several variants of Loki are prevalent on dark web marketplaces and underground forums. LokiBot payload is delivered via MS Office files. The payload is executed when the victim is tricked into opening the file. The malware comes with multiple packed wrappers, which later unpacks on its own and executes the main payload in the memory of the victim computer.
The payload targets each application running on the target machine separately and steals data, which is then stored in a buffer. The malware establishes persistence via registry modification especially by targeting directories like %APPDATA%. And based on the users’ privileges as well, the malware sets persistence under HKEY_LOCAL_MACHINE or KEY_CURRENT_USER. It then contacts the Command & Control [C2] server for further data transfer and command retrieval. It initiates the keylogging functionality, which uses Data Encryption Standard (DES) encryption to encrypt the keylogs.
- Malware can execute commands on the compromised file system leading to data theft.
- Botnets can make use of compromised systems to initiate DDoS attack on other targets.
- Malware steals user autofills, passwords, and cookies to create digital fingerprints of the victim.
- Keylogging ability lets malware steal credit card information and other authentication data entered by the victim.
- Bots can downgrade the performance of the critical business services.
- Monetary loss is very likely because of downtime and other performance issues caused by the bot.
- Website account takeovers affecting players in e-commerce.
- Affects business analytics as it is difficult to distinguish between bot traffic and genuine user/ client traffic, especially in web based applications.
- Look out for MS Office documents, archive files and ISO files intended to lure victims.
- Disable macros in the Office products
- Effective EDR solutions
- Security awareness and cyber hygiene
Indicators of Compromise