BLOGS

/

MALWARE CAMPAIGNS

MALWARE CAMPAIGNS

MALWARE CAMPAIGNS

LokiBot 2025: New Tactics and Technical Insights into Its Evolving Malware

Discover the evolving tactics of LokiBot malware in 2025. Get technical insights & stay ahead of cybersecurity threats.

Discover the evolving tactics of LokiBot malware in 2025. Get technical insights & stay ahead of cybersecurity threats.

Wednesday 29 January, 2025

LokiBot - Cyberware Hub
LokiBot - Cyberware Hub
LokiBot - Cyberware Hub

In the rapidly evolving world of cybersecurity threats, LokiBot has become a significant menace. This Trojan malware is infamous for its capability to steal sensitive information, causing extensive damage to both individuals and organizations. In this blog, we will explore the intricacies of LokiBot, its methods of operation, and how you can safeguard yourself against this malicious threat.

What is LokiBot?

LokiBot is a type of Trojan malware that targets Windows systems and is designed to steal sensitive information such as usernames, passwords, and cryptocurrency wallets. It spreads through malicious email attachments, infected websites, and other vectors. Once installed, LokiBot can log keystrokes, capture screenshots, and create a backdoor for attackers to gain further access to the compromised system.

How Does LokiBot Spread?

LokiBot uses various methods to spread and infect systems, including:

  • Malicious Email Attachments: LokiBot is often distributed through phishing emails with malicious attachments. Once the attachment is opened, the malware is executed, compromising the system.

  • Infected Websites: Users can unintentionally download LokiBot by visiting compromised websites or clicking on malicious links.

  • Software Vulnerabilities: LokiBot also exploits unpatched software vulnerabilities to gain access to systems.

Infection Chain:

LokiBot is a sophisticated malware that employs a multi-stage infection process to compromise systems and steal sensitive information. Here's an in-depth look at each step of the LokiBot infection chain:

  1. Initial Vector: The infection typically begins with a phishing email. These emails often contain a malicious attachment, such as a Microsoft Word document or an Excel file, designed to lure the recipient into opening it. In this scenario, it's an XLS Spreadsheet.

  1. Macro Execution: When the user opens the attachment, it prompts them to enable macros. Once enabled, the macro (often obfuscated to avoid detection) executes and downloads a second-stage payload. This stage is crucial as it leverages social engineering to convince the user to lower their defenses.

  1. Second-Stage Payload: The second-stage payload acts as a dropper or a downloader, fetching an encrypted third-stage payload from a remote server. This stage often involves using a web request to retrieve the malicious code, making it challenging to detect through traditional security detection measures.

VirtualAllocEx is a Windows API function that allows one process to allocate memory within the address space of another process. 
This is useful for tasks like code injection or creating shared memory. 
It requires specific access rights (PROCESS_VM_OPERATION) to work.

Malicious actors often use this function to allocate memory within the address space of a target process.
This is a key step in techniques like process injection, where malware injects 
malicious code into a running process to hide its behavior and bypass security mechanisms

  1. Third-Stage Payload: Upon downloading, the third-stage payload decrypts and executes the final LokiBot malware. This stage may involve privilege escalation techniques to gain higher access rights on the infected system, allowing the malware to perform its malicious activities more effectively.

Embedded Suspicious URL:

  1. Execution Once LokiBot is fully deployed, it begins its nefarious activities, which include:

  • Logging Keystrokes: Capturing everything the user types, including login credentials and personal information.

  • Capturing Screenshots: Taking screenshots of the user's activities to gather more data.

  • Stealing Credentials: Extracting sensitive information from browsers, email clients, and other applications.

Indicator of Compromise (IOCs):

.XLS:
f1f5ca357c3c67ee391971f3dee3136ca140f5d0e905237837427d4bd287e797
644c4d8e1df0f7ae73497d7d5f94ce806e54b611b2ca60cf28ea0a695b28f2d3
685a8fcb7894acbd04b96b69651870187dd9539a959a5b363522ce74b9ff741e

.MSIL:
82dc89757479317dcf084448dd8411b1503442fbcb30589d0f3dbd97d5762c59
a5b4e1ca469fbdbbb9ce84ad653dcb94b5c0d6069bdc90a42053d454cfc671c7

MITRE ATT@CK MATRIX:

  Tactics				          Techniques.

Initial Access	       - Phishing Attachment (.XLS).
Execution              - Native API.
                         Command and Scripting Interpreter.
		                 Exploitation for Client Execution.
Persistence	           - Scripting (.VBA).
                         Windows Service.
                         Browsing Extensions.
Privilege Escalation   - Process Injection.
			             DLL Side-Loading.
                         Bypass User Account Control 
                         Access Token Manipulation.
Defense Evasion	   	   - Obfuscated files or Information.
                         Disable or Modify Tools.
                         Masquarding.
            			 Virtualization/Sandbox Evasion.
Discovery		       - Virtualization and Sandbox Evasion Technique.
                         Security Software Discovery.
                		 Application Window Discovery.
                         File and Directory Discovery.
Credential Access      - OS Credential Dumping.
                         Credentials in Registry.
Collection             - Archive Data Collection.
                         Email Collection.
                         Clipboard Data.
Command & Control	   - Non-Application Layer Protocol.
			             Application Layer Protocol.
                         Ingress Tool Transfer

Happy Hunting !!