What Is LokiBot?

First reported in 2015, LokiBot is classified as a credential harvester, infostealer, and remote access trojan (RAT). LokiBot is a popular infostealer due to its ease of use and effectiveness at gaining initial access to target systems. LokiBot is also a Malware-as-a-Service (MaaS) with two distinct versions. Authentic versions are sold in underground markets starting at $300; cracked versions sell for about $80. In 2020 LokiBot’s boost in activity saw it controlling the largest global botnet, and it was subsequently listed on CISA’s 2021 list of top 11 malware strains.

While LokiBot has a relatively short list of endgame capabilities focusing on information stealing and credential harvesting, it does offer remote code execution (RCE) capabilities allowing an attacker to import additional tooling, including ransomware, easily. This RCE capability alone makes LokiBot a high-risk strain of malware. But LokiBot’s biggest strength is its highly versatile and sophisticated first-stage delivery and unpacking methods, contributing to its frequent use as a stager to import malware that excels in second-stage tactics—namely deeper network penetration and lateral movement. Another weapon in LokiBot’s arsenal is its ability to compromise Android devices and Windows-based systems.

LokiBot’s activity has waxed and waned, with sharp spikes in use followed by phases of dormant downtime—leading some to conclude that careful consideration goes into the timing of large-scale LokiBot campaigns. 

How LokiBot Works

LokiBot’s strengths are its versatile and sophisticated delivery and unpacking methods. During its lifespan, LokiBot has employed various sophisticated multi-stage techniques capable of evading advanced security products to gain initial access and deliver its primary payload.

LokiBot’s First-Stage Techniques

  • Exploiting new and long-standing but unpatched vulnerabilities in public-facing services and local applications
  • Phishing campaigns that contain malicious Microsoft Office file attachments (.docx and .xlsx) that rely on user interaction to enable VBA macros that infect the target system
  • Phishing campaigns that contain malicious Microsoft Office file attachments (.docx and .xlsx) that can leverage several zero-click vulnerabilities—such as a malicious HTA execution and memory corruption vulnerabilities—to gain initial access
  • Spam email containing malicious Rich Text Format (.rtf) file attachments
  • Phishing campaigns that include .iso image files that are automatically mounted on clicking and contain malicious executables or documents
  • Phishing campaigns that include .pdf file attachments that exploit known Adobe vulnerabilities 
  • Using steganography to hide malicious payloads in image files that are later extracted, decoded, and executed
  • Enticing victims with trojanized versions of pirated video games or other software
  • Abusing the Windows Installer for its installation
  • Using a technique known as process hollowing, hijacking known Windows processes to avoid detection by security products
  • Using heavily obfuscated payloads embedded in Windows Script Files (WSF), Visual Basic Script (VBS), and PowerShell scripts to remain undetected
  • Using precompiled binaries with heavily obfuscated strings

However, after gaining initial access, LokiBot’s range of second-stage capabilities is somewhat limited compared to other top malware strains. LokiBot can steal system and website credentials, cryptocurrency wallets, and personally identifiable information (PII) from more than 100 popular software applications on Windows and Android devices and can log and exfiltrate keystrokes. Critically, LokiBot provides remote code execution (RCE) to an attacker, allowing the deployment of more advanced second-stage malware—most often ransomware. 

Signs of a LokiBot Attack

Because LokiBot uses a diverse and advanced set of initial access techniques, it is difficult to pinpoint a particular group of indicators that can reliably identify a LokiBot attack. Typical indicators of a phishing attack certainly apply, e.g., emails with a suspicious subject line like “Urgent request to verify INVOICE #…” or “Need your help quickly!”—even if the email appears to be coming from a trusted sender.

How to Prevent a LokiBot Attack

Although LokiBot was initially developed to exploit Windows-based systems, it has since been ported to attack Android OS, distributed as a pre-installed infection on resold Android devices—something to keep in mind when purchasing a previously owned Android device. Also, because LokiBot goes the extra mile when using novel and undetectable delivery and unpacking techniques, the best defense against LokiBot is to be cautious before opening documents or installing software.

  • Enforce multi-factor authentication (MFA) and a strong password policy for all critical services, especially those for online banking and cryptocurrency accounts
  • Consider user awareness training to educate personnel about phishing techniques; develop standard operating procedures (SOP) for handling suspicious emails and documents; configure email clients to notify users when emails originate from outside the organization
  • Recognize the increased risk that encrypted files present and verify the context of such documents thoroughly before opening them
  • Ensure that only authorized, digitally signed software is installed on all endpoints; regularly scan for and block any unauthorized software from executing
  • Install and configure endpoint security products that scan encrypted documents immediately after they are unencrypted, detect indicators of compromise (IOCs), and take defensive action to block malicious files from executing
  • Implement Zero Trust solutions wherever possible, giving priority to critical systems 
  • Ensure Office applications are configured with Disable all macros without notification or Disable all except digitally signed macros settings
  • Ensure that updates and security patches are applied across the entire IT environment, including security products, operating systems, and applications
  • Use the principle of least privilege when architecting networks to avoid adding users to the local administrator group unless required
  • Use a content proxy to monitor internet usage and restrict user access to suspicious or risky sites
As a human-centric subscription-based 24x7x365 Managed XDR service, CylanceGUARD® provides the expertise and support businesses need to prevent and protect against ransomware attacks. CylanceGUARD combines the comprehensive expertise embodied by BlackBerry Cybersecurity Services with AI-based Endpoint Protection (EPP) through CylancePROTECT®, continuous authentication and analytics through CylancePERSONA, and on-device threat detection and remediation through CylanceOPTICS®. In short, CylanceGUARD provides business with the people and technology needed to protect the enterprise from the modern threat landscape.