LokiBot

First reported in 2015, LokiBot is classified as a credential harvester, infostealer, and remote access trojan (RAT). LokiBot is a popular infostealer due to its ease of use and effectiveness at gaining initial access to target systems. LokiBot is also a Malware-as-a-Service (MaaS) with two distinct versions. Authentic versions are sold in underground markets starting at $300; cracked versions sell for about $80. In 2020 LokiBot’s boost in activity saw it controlling the largest global botnet, and it was subsequently listed on CISA’s 2021 list of top 11 malware strains.

While LokiBot has a relatively short list of endgame capabilities focusing on information stealing and credential harvesting, it does offer remote code execution (RCE) capabilities allowing an attacker to import additional tooling, including ransomware, easily. This RCE capability alone makes LokiBot a high-risk strain of malware. But LokiBot’s biggest strength is its highly versatile and sophisticated first-stage delivery and unpacking methods, contributing to its frequent use as a stager to import malware that excels in second-stage tactics—namely deeper network penetration and lateral movement. Another weapon in LokiBot’s arsenal is its ability to compromise Android devices and Windows-based systems.

LokiBot’s activity has waxed and waned, with sharp spikes in use followed by phases of dormant downtime—leading some to conclude that careful consideration goes into the timing of large-scale LokiBot campaigns. 

• Exploiting new and long-standing but unpatched vulnerabilities in public-facing services and local applications
• Phishing campaigns that contain malicious Microsoft Office file attachments (.docx and .xlsx) that rely on user interaction to enable VBA macros that infect the target system
• Phishing campaigns that contain malicious Microsoft Office file attachments (.docx and .xlsx) that can leverage several zero-click vulnerabilities—such as a malicious HTA execution and memory corruption vulnerabilities—to gain initial access
• Spam email containing malicious Rich Text Format (.rtf) file attachments
• Phishing campaigns that include .iso image files that are automatically mounted on clicking and contain malicious executables or documents
• Phishing campaigns that include .pdf file attachments that exploit known Adobe vulnerabilities 
• Using steganography to hide malicious payloads in image files that are later extracted, decoded, and executed
• Enticing victims with trojanized versions of pirated video games or other software
• Abusing the Windows Installer for its installation
• Using a technique known as process hollowing, hijacking known Windows processes to avoid detection by security products
• Using heavily obfuscated payloads embedded in Windows Script Files (WSF), Visual Basic Script (VBS), and PowerShell scripts to remain undetected
• Using precompiled binaries with heavily obfuscated strings

However, after gaining initial access, LokiBot’s range of second-stage capabilities is somewhat limited compared to other top malware strains. LokiBot can steal system and website credentials, cryptocurrency wallets, and personally identifiable information (PII) from more than 100 popular software applications on Windows and Android devices and can log and exfiltrate keystrokes. Critically, LokiBot provides remote code execution (RCE) to an attacker, allowing the deployment of more advanced second-stage malware—most often ransomware. 

Although LokiBot was initially developed to exploit Windows-based systems, it has since been ported to attack Android OS, distributed as a pre-installed infection on resold Android devices—something to keep in mind when purchasing a previously owned Android device. Also, because LokiBot goes the extra mile when using novel and undetectable delivery and unpacking techniques, the best defense against LokiBot is to be cautious before opening documents or installing software.

• Enforce multi-factor authentication (MFA) and a strong password policy for all critical services, especially those for online banking and cryptocurrency accounts
• Consider user awareness training to educate personnel about phishing techniques; develop standard operating procedures (SOP) for handling suspicious emails and documents; configure email clients to notify users when emails originate from outside the organization
• Recognize the increased risk that encrypted files present and verify the context of such documents thoroughly before opening them
• Ensure that only authorized, digitally signed software is installed on all endpoints; regularly scan for and block any unauthorized software from executing
• Install and configure endpoint security products that scan encrypted documents immediately after they are unencrypted, detect indicators of compromise (IOCs), and take defensive action to block malicious files from executing
• Implement Zero Trust solutions wherever possible, giving priority to critical systems 
• Ensure Office applications are configured with Disable all macros without notification or Disable all except digitally signed macros settings
• Ensure that updates and security patches are applied across the entire IT environment, including security products, operating systems, and applications
• Use the principle of least privilege when architecting networks to avoid adding users to the local administrator group unless required
• Use a content proxy to monitor internet usage and restrict user access to suspicious or risky sites