The FortiGuard Labs SE team identified a new malicious spam campaign on August 21 st,which we discovered after an analysis of information initially found on VirusTotal. It targeted a large US manufacturing company utilizing the well documented infostealer LokiBot. Interestingly enough, this also has a compilation date of August 21 stwhich is the same day we discovered the malspam campaign.
The campaign consists of a spam email that had been sent to the sales email address of the recipients, possibly from a compromised trusted sender, originating from the IP address of [ SB] is not a request for quotation, and once unzipped, it is the infamous infostealer found on various underground forums, LokiBot.
Digging a little further by investigating the IP address [ During our investigation, we did not find any significant activity behind this IP address, and historical archives in VirusTotal and our data show that attacks originating from this IP address are new, seen most recently within the past two months.
This particular IP address appears to have been used twice before in malicious spam attacks that occurred several months earlier, in June, attacking a large German Bakery in a malicious spam attack trying to lure a victim into downloading an electronic invoice.From Network IOC to Malware Hunting
It can be assumed that this may be another delivery mechanism for LokiBot, as it has been documented in the past utilizing RTF distribution vectors.
But again, we are unable to draw any conclusions due to the lack of information available at the time of publication. Analyzing further insight from our own telemetry, we were able to observe a rather large spike in visits, specifically on the date of June 17, which correlates with the time stamp of this suspicious campaign, as well as telemetry from German visitors. We also observed a large spike starting on June 17 th for the German Baker attack, and again on August 21 st for the U.
Because of the low volume identified, it appears that this IP address may be under the control of one group, and possibly only being used for very targeted attacks. However, we can only assume this — time will provide a better historical snapshot of campaigns using this IP address.
Finally, one loose connection observed from this IP address through historical DNS records was that in the past the Chinese site ccltyo. The attack is pretty straightforward. The LokiBot sample [SHA c65e4fb1d19fdf1d34ad51aaeceba14adc7ba6a6aa87] has a file size of KB and was recently compiled on Aug 21, which is coincidentally the same date as when the malicious spam was sent. Of course, the file is not a game, but is the infamous LokiBot infostealer, which is one of the most popular infostealers in recent memory due to its ease of use and effectiveness.
LokiBot steals a variety of credentials — primarily FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials. LokiBot is distributed in various forms, and has been seen in the past being distributed in zipped files along with malicious macros in Microsoft Word and Excel, or leveraging the exploit CVE Office Equation Editor via malicious RTF files, which is similar to the attack example above that targeted the German bakery however, minus the use of a known exploit.
As LokiBot is already well documented and covered in various blogs, including ones from Fortinetwe will only highlight the unique characteristics observed in this specific sample. Another interesting behavior to note is that the domain contacts Palikyu. To make matters worse, attribution is difficult because the domain and IP address are hosted using CloudFare, which anonymizes the originating IP address.With our online malware analysis tools you can research malicious files and URLs and get result with incredible speed.
TLP: green. Get the list of cyber security news like Truckstop. LokiBot is trojan-type malware designed to infiltrate systems and collect a wide range of information.
Track behavior activities in Real-time The service shows many aspects of testing, such as creation of new processes, potentially suspicious or malicious files or URLs as well as registry activity, network requests and much more in real-time, allowing to make conclusions during the task execution without having to wait for the final report. CISA also recommends organizations complete the following actions in conducting their hunt for this exploit: Quarantine or take offline potentially affected systems.
Lokibot IOCs. Known as steganography, the technique is used to hide. See the Read More link above for more details. Aspiring malware analyst. Once installed on a PC, the malicious app makes a series of unwanted changes to all browsers installed on the computer, leading to a deteriorating online surfing experience. While not exhaustive, this. Submitted files will be added to or removed from antimalware definitions based on the analysis results.
Newly Discovered Infostealer Attack Uses LokiBot
We wrote a Python script to ease the extraction of network IoCs from samples similar to the one analyzed in this blogpost. See full list on threatfabric. It is commonly pushed via malicious documents delivered via spam emails. Lokibot is an information stealing infostealer trojan targeting users worldwide. Leveraging tailored investigation-ready threat intelligence, organizations can query threats and other indicators to receive real-time conclusive IOC determination, automated severity indications, and antivirus detection ratios — with a single query.
Python 3 library useful for getting structured IOC data from mwdb configs.
Rewterz Threat Alert – LokiBot Malware – IOC’s
ThreadKit document from June example.GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together. Work fast with our official CLI. Learn more. If nothing happens, download GitHub Desktop and try again. If nothing happens, download Xcode and try again. If nothing happens, download the GitHub extension for Visual Studio and try again. The Windows binary is compiled with PyInstaller 2. Download the latest version of LOKI from the releases section.
Since version 0. When running loki. No requirements if you use the pre-compiled executables in the release section of this repo. LOKI can be packaged with a custom encrypted rule set, which is embedded in the pyinstaller package.
In order to include your own rules place them in a directory named private-signatures in the LOKI directory and execute build.
In order to successfully run the build script, you need to install PyInstaller. We use PyInstaller 2. You can verify whether the signature set is valid by calling loki-package-builder.
The IOC files for hashes and filenames are stored in the '. All '. Use the 'score' value to define the level of the message upon a signature match. You can add hash, c2 and filename IOCs by adding files to the '. The files must have the strings "hash", "filename" or "c2" in their name to get pulled during initialization.
Since version v0. Each line represents a regular expression thats gets applied to the full file path during the directory walk. This way you can exclude certain directories regardless of their drive name, file extensions in certain folders and all files and directories that belong to a product that is sensitive to antivirus scanning.
It is no problem if these indicators overlap with the ones already included. Loki uses a filename regex or hash only once. The threat intel receivers have also been moved to the signature-base sub repository with version 0.
The script is located in the ".Bot learns from the user demonstration. The more it automates, the more it learns. Subscription-based user licensing model. Create bots in minutes without coding.
LokiBots learn from user demonstration. To automate repetitive computer tasks. By enabling self-service automation. Cognitive automation platform. The bots are trained by user demonstration of repetitive computer tasks with zero coding. Self service automation. Zero code. Works out-of-the-box. Reduce dependency on IT. Built on Google Cloud. SaaS application. Highly scalable. Bi-weekly releases. Active-Directory AD. Secret manager. Traceable audit logs. Subscription pricing.
Setup in minutes. Huge cost savings. Quick Implementation. Bot store. Interactive API platform. Python enhancement.
Unlimited bots. Bot clones. Bot sharing. Conversational natural language engagement with.It steals passwords and cryptocurrency wallets, and it can also download and install new malware. The infostealer spreads through a variety of methods, including malicious email attachments, exploitation of software vulnerabilities, and trojans sneaked into pirated or free apps. Its simple interface and reliable codebase make it attractive to a wide range of crooks, including those who are new to cybercrime and have few technical skills.
Sherrod DeGrippo, senior director of threat research and detection at security firm ProofPoint, said Emotet typically dwarfs LokiBot by an order of magnitude, with volume on Monday being aboutfor the former versus 1, for the latter. More recently, there have been exceptions. The malware includes a keylogger that records passwords and other sensitive keystrokes, code that harvests passwords stored in browsers, administrative tools, and cryptocurrency wallets and can steal information from more than different applications, according to security firm Gigamon.
Researchers at Palo Alto Networks said that the LokiBot is the most popular tool used by SilverTerrier, a Nigerian crime group known for performing business-email compromises that scam high-ranking employees into wiring company funds overseas. Protecting against LokiBot involves the usual advice about being highly judicious before opening email attachments, not enabling Microsoft Office macros without ample experience and a good reason, steering clear of software that's pirated or comes from unknown sources, and remaining skeptical online.
You must login or create an account to comment. Skip to main content Enlarge. Email dan. Channel Ars Technica.Lokibot was developed in to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Lokibot, also known as Loki-bot or Loki bot, is an information stealer malware that collects data from most widely used web browsers, FTP, email clients and over a hundred software tools installed on the infected machine.
It was developed in one of the ex-USSR countries. It was discovered for the first time on May 3rd, from a sale announcement made by the creator and the malware is still active to this day.
Curiously, a researcher subsequently found out that the first version of the virus got patched by someone without accessing the source code, which gave the hacker community the ability to set a series of individual domains used to receive the retrieved data.
Even though several versions of the virus exist today, it was found that all of them are actually modifications of the original malware. Interestingly, the server to which Lokibot stealer sends data is unique for every particular malware sample.
A video displaying the simulation of the contamination process created by the ANY. RUN interactive malware hunting service provides the perfect opportunity to see how the contamination process is unfolding on an infected machine. As shown in the simulation, Lokibot needs email attachments, such as a Microsoft Office file or an archive file to be opened in order to enter an active phase. Figure 1: Process graph generated by the ANY. RUN malware hunting service.
Since Lokibot spyware requires macros to be activated to infect the system, attackers will do everything in their power to make the victim enable them.
Thus keeping macros turned off is the best bet to stay protected from the Trojan. Particularly, extra caution should be exhibited when a document downloaded from a suspicious source or an unknown email address prompts to enable macros. Another good common practice is to be extremely mindful when opening attachments or clicking links in emails from unidentified sources.
Lokibot stealer is distributed mostly via mail-spam campaigns, prompting the user to download an infected file that is attached. Particularly, the three most commonly used types of files are Microsoft Office documents configured to begin the download and installation processes of the malware, archive files that contain a Loki-Bot executable or ISO files, also containing a Loki-Bot executable.
Interactive sandbox simulation conducted on the ANY. RUN malware hunting service allows us to take a closer look at how the execution process of Lokibot unfolds in a case when a contaminated Microsoft Office file is the infection source. RUN simulation. Figure 3: A text report created by ANY. The virus generates multiple artifacts during its execution process.
Among other things you can detect either it is Lokibot in front of you or not by looking inside sending packets - there's always text "ckav. Figure 4: Lokibot network stream. Not lastly due to the fact that the first version of the malware was leaked and cloned, eventually becoming available for a significantly cheaper price than the original, Lokibot spyware became a widely spread malware that is continuing to appear in several mail-spam campaigns.
Fortunately, modern malware hunting tools like ANY. RUN provides the ability to examine the malware behavior in detail and establish solid protection against the hazard.LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.
LokiBot—also known as Lokibot, Loki PWS, and Loki-bot—employs Trojan malware to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials.
Since LokiBot was first reported incyber actors have used it across a range of targeted applications, including the following. System Network Configuration Discovery [ T ]. Obfuscated Files or Information [ T ]. Exfiltration Over C2 Channel [ T ]. Process Injection: Process Hollowing [ T Input Capture: Keylogging [ T System Information Discovery [ T ].
User Execution: Malicious File [ T Credentials from Password Stores [ T ]. LokiBot has stolen credentials from multiple applications and data sources including Windows operating system credentials, email clients, File Transfer Protocol, and Secure File Transfer Protocol clients. LokiBot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and Chromium and Mozilla Firefox-based web browsers.
CISA and MS-ISAC recommend that federal, state, local, tribal, territorial government, private sector users, and network administrators consider applying the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.
Was this document helpful? More Alerts. Original release date: September 22, Last revised : September 23, Print Document. Like Me. The malware steals credentials through the use of a keylogger to monitor browser and desktop activity Credentials from Password Stores [ T ]. Malicious cyber actors typically use LokiBot to target Windows and Android operating systems and distribute the malware via email, malicious websites, text, and other private messages User Execution: Malicious File [ T See figure 1 for enterprise techniques used by LokiBot.
February Trend Micro identified cyber actors using LokiBot to impersonate a launcher for Fortnite—a popular video game.