LokiBot malware going for a song at $80


This popular choice among criminals for infiltrating systems with relative ease is now cheaper than ever. So says cybersecurity company Cofense, which also gave Cybernews the low-down on how the malware works.

Hackers have many tools at their disposal, yet some stand out as a go-to choice for infiltrating systems with relative ease. One of them, LokiBot, has been described in detail by cybersecurity company Cofense.

One of the most common phishing malware families, LokiBot has become popular in cybercriminal circles, partly due to its lower price but also because of its ease of use.

LokiBot is an infostealer with expanding capabilities. US cyber defense agency CISA has observed a notable increase in the malware’s uptake since July 2020 and detected its persistent malicious activity.

The agency describes it as “an attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.”

LokiBot was first revealed in 2015 on underground forums by a hacker with an alias of “lokistov,” who is also known as “Carter,” Cofense researchers say. Initially advertised on underground markets in Eastern Europe, it became widespread in 2018.

“Since then, LokiBot has remained in the top five malware families delivered through phishing emails,” the report said.

Originally advertised as a “Resident Loader and Password and CryptoCoin-wallet stealer,” LokiBot was priced between $450 and $540, depending on whether the buyer wanted the stealer or the loader, as well as other add-ons such as a change in the C2 (command and control) IP address.

However, LokiBot’s price has now dropped as low as $80 on forums, as the source code was leaked in 2018.

One theory is that somebody reverse-engineered the malware code and then published the cracked version. Another theory is that the original creators got hacked themselves, and the hacker posted the stolen version. That coincided with discontinued updates.

The newer version of the infostealer includes more evasive techniques and has developed further keylogger, remote access trojan (RAT), and ransomware attributes.

According to researchers, LokiBot is capable of stealing credentials from over 100 different clients, including:

In one of the recent use cases, LokiBot impersonated launcher software for the popular video game Fortnite in 2020.

“Due to its simplistic nature and usage, low-skill threat actors can use LokiBot for a variety of malicious purposes,” the report said, adding that between 2019 and 2021 “LokiBot would often be the most common malware family.”

How LokiBot works

Delivery Mechanisms – usually, cybercrooks deliver this malware via email as a direct attachment. However, this method is accompanied by exploiting other vulnerabilities, especially CVE-2017-11882. Sometimes, malicious actors employ loaders, embedded URLs, or other delivery mechanisms.

Behavior – very straightforward and simplistic. Once LokiBot has been downloaded and run, it will infiltrate the system and start collecting sensitive information from each program it supports.

Once finished, LokiBot creates a customized HTTP packet and sends it to the C2 server with logged keystrokes.

“Some versions of LokiBot will start to maintain persistence, while others may continue to run and occasionally connect in case any new credentials are stored on the machine,” researchers described.

How to detect it

LokiBot is generally easy to spot, as it depends heavily on connecting to its C2, and most anti-virus software will catch it due to its simplicity. And there are also other ways to tell if LokiBot is already installed.

User Agent – LokiBot can be identified by a specific string found in the application and network traffic that it always uses to connect to its C2: User-Agent “Mozilla/4.08 (Charon; Inferno)”.

LokiBot

Network Traffic – LokiBot primarily only uses HTTP to communicate with its C2. The URL can be formatted in a variety of ways. Still, the file that the link is accessing is typically followed by a PHP panel, or ends with a “p=” followed by a unique set of numbers to differentiate the systems that LokiBot has infected.

Most LokiBot instances will use “fre.php” when connecting to its host, but the list is not exhaustive.

“Due to the low volume of embedded URLs delivering LokiBot, the primary way to prevent LokiBot from being installed on a system is to not allow unknown downloads from suspicious emails,” researchers added.