1. Home
  2. Software
  3. Lokibot

Lokibot

Lokibot is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. Lokibot can also create a backdoor into infected systems to allow an attacker to install additional payloads.[1][2][3]

ID: S0447
Type: MALWARE
Platforms: Windows
Contributors: Daniyal Naeem, BT Security
Version: 2.0
Created: 14 May 2020
Last Modified: 11 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 从密码存储中获取凭证

Lokibot has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients.[1]
.003 Credentials from Web Browsers

Lokibot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.[1]
Enterprise T1112 修改注册表

Lokibot has modified the Registry as part of its UAC bypass process.[4]

Enterprise T1620 反射性代码加载

Lokibot has reflectively loaded the decoded DLL into memory.[4]

Enterprise T1140 反混淆/解码文件或信息

Lokibot has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR.[4]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Lokibot has used PowerShell commands embedded inside batch scripts.[4]

.003 命令与脚本解释器: Windows Command Shell

Lokibot has used cmd /c commands embedded within batch scripts.[4]

.005 命令与脚本解释器: Visual Basic

Lokibot has used VBS scripts and XLS macros for execution.[4]

Enterprise T1071 .001 应用层协议: Web Protocols

Lokibot has used HTTP for C2 communications.[1][4]

Enterprise T1083 文件和目录发现

Lokibot can search for specific files on an infected host.[4]
Enterprise T1106 本机API

Lokibot has used LoadLibrary(), GetProcAddress() and CreateRemoteThread() API functions to execute its shellcode.[4]
Enterprise T1027 混淆文件或信息

Lokibot has obfuscated strings with base64 encoding.[1]
.002 Software Packing

Lokibot has used several packing methods for obfuscation.[1]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

Lokibot has utilized multiple techniques to bypass UAC.[4]
Enterprise T1204 .002 用户执行: Malicious File

Lokibot has tricked recipients into enabling malicious macros by getting victims to click "enable content" in email attachments.[5][4]
Enterprise T1070 .004 移除指标: File Deletion

Lokibot will delete its dropped files after bypassing UAC.[4]
Enterprise T1082 系统信息发现

Lokibot has the ability to discover the computer name and Windows product name/version.[6]
Enterprise T1033 系统所有者/用户发现

Lokibot has the ability to discover the username on the infected host.[6]
Enterprise T1016 系统网络配置发现

Lokibot has the ability to discover the domain name of the infected host.[6]
Enterprise T1497 .003 虚拟化/沙盒规避: Time Based Evasion

Lokibot has performed a time-based anti-debug check before downloading its third stage.[4]
Enterprise T1105 输入工具传输

Lokibot downloaded several staged items onto the victim's machine.[4]

Enterprise T1056 .001 输入捕获: Keylogging

Lokibot has the ability to capture input on the compromised host via keylogging.[6]
Enterprise T1055 .012 进程注入: Process Hollowing

Lokibot has used process hollowing to inject itself into legitimate Windows process.[1][4]

Enterprise T1041 通过C2信道渗出

Lokibot has the ability to initiate contact with command and control (C2) to exfiltrate stolen data.[6]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Lokibot is delivered via a malicious XLS attachment contained within a spearhpishing email.[4]

Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

Lokibot has the ability to copy itself to a hidden file and directory.[1]
Enterprise T1053 预定任务/作业

Lokibot's second stage DLL has set a timer using "timeSetEvent" to schedule its next execution.[4]
.005 Scheduled Task

Lokibot embedded the commands schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I inside a batch script.[4]

Groups That Use This Software

ID Name References
G0083 SilverTerrier

[7]

References

  1. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
  2. Cheruku, H. (2020, April 15). LOKIBOT WITH AUTOIT OBFUSCATOR + FRENCHY SHELLCODE. Retrieved May 14, 2020.
  3. DHS/CISA. (2020, September 22). Alert (AA20-266A) LokiBot Malware . Retrieved September 15, 2021.
  4. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  1. Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019.
  2. Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020.
  3. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.