LokiBot Information Stealer Packs Fresh Infection StrategiesInfo Stealer Continues to Succeed via Phishing, Exploiting Ancient Flaw in Office
In Norse mythology, Loki is a cowardly trickster god who can change age, shape and sex. The malware incarnation is more prosaic, tending to focus on stealing Microsoft users' data.
LokiBot is one of a number of different types of so-called information-stealing malware, designed to steal everything from email credentials, payment card data and cryptocurrency wallet passwords to the cookies and system data needed to bypass multifactor authentication.
Researchers say LokiBot especially appeals to a less technically skilled clientele, owing to its ease of use, which helps explain why it has been unusually persistent - remaining among the five most-seen strains of malware - since 2018.
In two-thirds of attack attempts, the LokiBot malware arrives in the form of an email attachment, according to a new report authored by Madalynn Carr, a threat analyst at Cofense. Most of the other attack attempts use a delivery mechanism that in 82% of cases involves targeting a 23-year-old memory corruption flaw in Microsoft Office that first came to light six years ago.
Designated CVE-2017-11882, the flaw exists in Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1 and Microsoft Office 2016. Owing to continued use of these products, rather than still-supported and patched versions, many attempts to exploit this vulnerability remain successful.
The U.S. Cybersecurity and Infrastructure Security Agency has continued to feature this flaw on its list of the most "routinely exploited vulnerabilities," owing to their continued exploitation by nation-state hacking teams as well as criminals.
LokiBot-wielding attackers continue to test fresh strategies for infecting targets. In 2020, CISA warned that the operators behind the malware had been using malicious websites to hide the malware from victims and to send phishing links through SMS and other private messages that contain LokiBot.
This summer, researchers warned they had been seeing an increase in attacks that used malicious Microsoft Office documents to drop LokiBot. Each of the attacks tended to target one of these two flaws:
- CVE-2021-40444 - a Microsoft Office MSHTML remote code execution vulnerability
- CVE-2022-30190 - A Microsoft Windows Support Diagnostic Tool, or MSDT, remote code execution vulnerability
8 Years of LokiBot
LokiBot debuted in 2015 for sale on cybercrime forums by "lokistov" with a sale price of $540 for both a stealer and a loader, the researchers said.
"LokiBot became a popular malware choice for threat actors due to the low price and ease of use," says the Cofense report . Since 2018, "LokiBot has remained in the top five malware families delivered through phishing emails."
That's despite the source code for version 1 of the malware getting leaked in 2018 and sold for as little as $80. Carr said there are two theories as to how the code leaked. "One is that somebody reversed the original LokiBot and gathered the source code, then published the cracked version of the malware," she said. "The other theory is that lokistov got hacked themselves, and the hacker published the stolen version."
Subsequently, she said, lokistov developed version 2 of the malware, which has better evasion capabilities as well as expanded keylogger and remote access Trojan functionality.
The malware today includes the ability to steal credentials from more than 100 different clients on a PC, including email, FTP and the cross-platform screen-sharing system VNC, to password managers - including 1Password and KeePass - and instant messaging clients, the report says.
Defending Against LokiBot
LokiBot's relative simplicity makes it easy to spot, provided defenders are watching for it, since almost everything it does will involve command-and-control communications, the researchers said.
"The primary way to prevent LokiBot from being installed on a system is to not allow unknown downloads from suspicious emails," Cofense said, adding that most antivirus software should detect and block the malware or find it if set to regularly scan systems.
Cofense said LokiBot primarily communicates with a command-and-control server via http and typically uses the same User-Agent request header string to identify itself: "Mozilla/4.08 (Charon; Inferno)." To spot likely LokiBot infections, it recommends organizations set alerts for that User-Agent string.
Feeding Log Markets
Info stealers such as LokiBot don't work in a vacuum. The information this type of malware steals from a system is known as a "bot," and bots get packaged up into "logs" that get sold on dedicated cybercrime markets such as Genesis, RussianMarket and TwoEasy or via forums such as BHF and Dark2Web and Telegram messaging app channels.
Instead of buying logs a la carte, customers can subscribe to "clouds of logs" that are frequently updated (see: Info-Stealing Malware Populates 'Cloud of Logs' Offerings).
Other popular information stealers populating log markets include Raccoon, RedLine, Vidar, Taurus and AZORult, researchers have reported. New players constantly debut, and this year they have included Acrid Rain and Typhon Stealer.