Full Report
In Norse mythology, Loki, the god of mischief, has powerful and deceptive transformation abilities. True to its namesake, the malware LokiBot has appeared in numerous variants and payload formats since its discovery more than a decade ago. In this blog, we take a closer look at a multi-stage LokiBot sample from a recent campaign.
Analysis Summary
# Tool/Technique: LokiBot
## Overview
LokiBot (also known as Loki PWS) is a long-standing, high-volume information stealer designed to exfiltrate sensitive data from infected Windows and Android systems. First appearing in 2015, it has gained notoriety for its affordability on underground forums and its ability to target over a hundred different software products, including web browsers, crypto wallets, and FTP clients.
## Technical Details
- **Type:** Malware Family (Infostealer / Spyware)
- **Platform:** Windows (Primary), Android
- **Capabilities:** Credential theft, keylogging, remote access, file exfiltration, and anti-analysis.
- **First Seen:** May 2015
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.001 - Phishing: Spearphishing Attachment
- **TA0002 - Execution**
- T1059.005 - Command and Scripting Interpreter: VisualBasic
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1623 - ASLR/DEP Bypass / Process Hollowing
- T1055 - Process Injection
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores
- T1056.001 - Input Capture: Keylogging
- **TA0011 - Command and Control**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Credential Harvesting:** Specifically targets browsers, email clients (Outlook, Thunderbird), FTP clients (FileZilla), and cryptocurrency wallets.
- **Multi-Stage Loading:** Uses a complex execution chain involving JScript, PowerShell loaders, and .NET injectors to bypass security software.
- **Process Injection:** Employs techniques like Reflective DLL Injection or Process Hollowing (e.g., injecting into `aspnet_compiler.exe`) to hide within legitimate system processes.
### Advanced Features
- **Anti-Analysis/Obfuscation:** Uses tools like ConfuserEx for .NET protection and interleaved JScript obfuscation to hinder static analysis.
- **Self-Cleanup:** Features built-in subroutines to terminate its own processes and delete temporary files after successful execution to remove forensic evidence.
- **Android Support:** Later variants include capabilities to target mobile devices for SMS interception and mobile banking theft.
## Indicators of Compromise
- **File Names:** Randomly generated filenames in `C:\Temp` (often appended with datetime stamps).
- **Network Indicators (Defanged):**
- hxxp[://]alphastand[.]trade/alien/fre[.]php
- hxxp[://]alphastand[.]win/alien/fre[.]php
- hxxp[://]alphastand[.]top/alien/fre[.]php
- hxxp[://]konehuolto[.]top/alien/fre[.]php
- **Behavioral Indicators:**
- Launching `wscript.exe` to execute obfuscated JScript.
- Unexpected PowerShell execution with `System.Reflection.Assembly::Load`.
- Legitimate Windows binaries (like `aspnet_compiler.exe`) initiating unusual network connections.
## Associated Threat Actors
- Widely used by various **Cybercrime Groups** and lower-skilled threat actors due to its availability as Malware-as-a-Service (MaaS) and leaked source code.
## Detection Methods
- **Signature-based:** Traditional AV signatures for known LokiBot packers and the un-packed core payload.
- **Behavioral:** Monitoring for PowerShell scripts performing reflective loading or XOR decryption of large strings.
- **YARA Rules:** Detection of specific strings within the decrypted .NET assembly or the ConfuserEx protection layers.
## Mitigation Strategies
- **Email Security:** Implement strict filtering for script-based attachments (.js, .jse, .vbs) and block macro-enabled documents from untrusted sources.
- **Scripting Restrictions:** Disable Windows Script Host (WSH) if not required for business operations and enforce PowerShell Constrained Language Mode.
- **Endpoint Protection:** Utilize EDR solutions to monitor for process injection attempts and suspicious child process spawning from `wscript.exe` or `powershell.exe`.
## Related Tools/Techniques
- **Formbook / XLoader:** Similar information stealers often distributed via malspam.
- **ConfuserEx:** An open-source protector used by the .NET injector stage.
- **Process Hollowing:** The primary technique used for the final payload execution.