Type

Advisory

Category

Malware

Target Platform

Windows

‍

LokiBot, dubbed Loki, is an infostealer malware strain and a keylogger that steals passwords, credentials and other information from web browsers, applications, and FTP and email clients. Several variants of Loki are prevalent on dark web marketplaces and underground forums. LokiBot payload is delivered via MS Office files. The payload is executed when the victim is tricked into opening the file. The malware comes with multiple packed wrappers, which later unpacks on its own and executes the main payload in the memory of the victim computer.

‍

The payload targets each application running on the target machine separately and steals data, which is then stored in a buffer. The malware establishes persistence via registry modification especially by targeting directories like %APPDATA%. And based on the users’ privileges as well, the malware sets persistence under HKEY_LOCAL_MACHINE or KEY_CURRENT_USER. It then contacts the Command & Control [C2] server for further data transfer and command retrieval. It initiates the keylogging functionality, which uses Data Encryption Standard (DES) encryption to encrypt the keylogs.

‍

Impact

Technical Impact

• Malware can execute commands on the compromised file system leading to data theft.
• Botnets can make use of compromised systems to initiate DDoS attack on other targets.
• Malware steals user autofills, passwords, and cookies to create digital fingerprints of the victim.
• Keylogging ability lets malware steal credit card information and other authentication data entered by the victim.

‍

Business Impact

• Bots can downgrade the performance of the critical business services.
• Monetary loss is very likely because of downtime and other performance issues caused by the bot.
• Website account takeovers affecting players in e-commerce.
• Affects business analytics as it is difficult to distinguish between bot traffic and genuine user/ client traffic, especially in web based applications.

‍

Mitigation

• Look out for MS Office documents, archive files and ISO files intended to lure victims.
• Disable macros in the Office products
• Effective EDR solutions
• Security awareness and cyber hygiene 

‍

Indicators of Compromise

Hashes [SHA2-256]

‍

C14115B27DCC8A6E26CE22BE191D64EE3C74A9E812AE8409A2A834E05542AA1F

8BC689D070D0991E960D0D6323C6BCDD557BC31CFB72514BAC81F82DFC1D5D84

71D5A2F560DE370FC12C29BBC17D96F4859AFBFCED53892392655C1A096BC5FF

295D6F6CF0375F79F9A308EBC193B3403FA87DB488586F5A273F70354249F8AD

FC27D5975A0B1B0F856F57DD5839CD081EFDE7A6FC228A5DDBDB57EF4BF1A9C3

EAAD310F738AB2A1388F16D16D0980C377E5F82687449180DAD60E0F7B5D6F3F

D71FDF54F494CBCD273990A741FFA9A03F14266067D928A32B40A6B1746F14B6

60D74FF5AE314EA7D22B9A2B03DF5D512E6A721979BCEB8D4440EFE85EF77FC3

‍

IPs

194.180.224.87

192.169.69.25

195.69.140.147

195.22.153.143

173.239.8.164

185.209.1.124

18.221.107.58

23.253.46.64

111.118.215.98

79.124.8.8

192.185.129.96

103.129.98.58

103.129.98.58

208.91.198.102

104.27.180.26

204.11.56.48

104.24.124.73

66.96.149.17

67.225.140.132

104.18.33.92

‍

Domains

gooddns.ir

isns.net

parkingcrew.net

abokiisback.duckdns.org

future--seafood.com

linkk-my.com

babaseoa.com

hfktichen.com

shoptrustup.su

birn.xyz

mflogistics-my.com

afcompresors.com

www.proxyocean.com

majul.com

joovy.ga

gahyqah.com

ggwp.emptiness.tk

berkanenow.com

f08080.com

go-upload.ru