LokiBot Trojan Threat Intel Advisory

Summary

CloudSEK Threat Intelligence Advisory on LokiBot Trojan, an infostealer and keylogger malware strain delivered via MS Office documents.
[vc_row full_width="stretch_row" css=".vc_custom_1599727391815{background-image: url(https://cloudsek.com/wp-content/uploads/2020/09/swirl_pattern2.png?id=8072) !important;background-position: 0 0 !important;background-repeat: repeat !important;}"][vc_column][vc_row_inner gap="10"][vc_column_inner width="2/3"][vc_empty_space height="70px"][vc_custom_heading text="LokiBot Trojan Threat Intel Advisory" font_container="tag:h1|text_align:left|color:%2300337f" use_theme_fonts="yes" css=".vc_custom_1603118692946{padding-right: 30px !important;}"][vc_column_text css=".vc_custom_1603118702093{padding-right: 30px !important;}"]Published on October 19, 2020 | 18:30 PM IST[/vc_column_text][vc_column_text css=".vc_custom_1593509533489{padding-right: 30px !important;}"]Go back to Main page[/vc_column_text][/vc_column_inner][vc_column_inner width="1/3" css=".vc_custom_1585662279762{padding-top: 15px !important;padding-right: 15px !important;padding-bottom: 15px !important;padding-left: 20px !important;border-radius: 10px !important;}"][vc_empty_space][vc_raw_html]JTNDcCUyMHN0eWxlJTNEJTIyY29sb3IlM0ElMjAlMjMwMDMzN2YlM0IlMjIlM0VTaGFyZSUyMHRoaXMlMjBBZHZpc29yeSUzQSUzQyUyRnAlM0UlMEElM0MlMjEtLSUyMEdvJTIwdG8lMjB3d3cuYWRkdGhpcy5jb20lMkZkYXNoYm9hcmQlMjB0byUyMGN1c3RvbWl6ZSUyMHlvdXIlMjB0b29scyUyMC0tJTNFJTIwJTNDZGl2JTIwY2xhc3MlM0QlMjJhZGR0aGlzX2lubGluZV9zaGFyZV90b29sYm94X2ttb28lMjIlM0UlM0MlMkZkaXYlM0U=[/vc_raw_html][/vc_column_inner][/vc_row_inner][/vc_column][/vc_row][vc_row][vc_column width="1/6"][/vc_column][vc_column width="2/3"][vc_empty_space height="40px"][vc_wp_text]
Type
Advisory
Category
Malware
Target Platform
Windows
  LokiBot, dubbed Loki, is an infostealer malware strain and a keylogger that steals passwords, credentials and other information from web browsers, applications, and FTP and email clients. Several variants of Loki are prevalent on dark web marketplaces and underground forums. LokiBot payload is delivered via MS Office files. The payload is executed when the victim is tricked into opening the file. The malware comes with multiple packed wrappers, which later unpacks on its own and executes the main payload in the memory of the victim computer. The payload targets each application running on the target machine separately and steals data, which is then stored in a buffer. The malware establishes persistence via registry modification especially by targeting directories like %APPDATA%. And based on the users’ privileges as well, the malware sets persistence under HKEY_LOCAL_MACHINE or KEY_CURRENT_USER. It then contacts the Command & Control server for further data transfer and command retrieval. It initiates the keylogging functionality, which uses Data Encryption Standard (DES) encryption to encrypt the keylogs.[/vc_wp_text][vc_wp_text]

Impact

Technical Impact
  • Malware can execute commands on the compromised file system leading to data theft.
  • Botnets can make use of compromised systems to initiate DDoS attack on other targets.
  • Malware steals user autofills, passwords, and cookies to create digital fingerprints of the victim.
  • Keylogging ability lets malware steal credit card information and other authentication data entered by the victim.
 
Business Impact
  • Bots can downgrade the performance of the critical business services.
  • Monetary loss is very likely because of downtime and other performance issues caused by the bot.
  • Website account takeovers affecting players in e-commerce.
  • Affects business analytics as it is difficult to distinguish between bot traffic and genuine user/ client traffic, especially in web based applications.
[/vc_wp_text][vc_wp_text]

Mitigation

  • Look out for MS Office documents, archive files and ISO files intended to lure victims.
  • Disable macros in the Office products
  • Effective EDR solutions
  • Security awareness and cyber hygiene 
[/vc_wp_text][vc_wp_text]

Indicators of Compromise

 
Hashes
C14115B27DCC8A6E26CE22BE191D64EE3C74A9E812AE8409A2A834E05542AA1F 8BC689D070D0991E960D0D6323C6BCDD557BC31CFB72514BAC81F82DFC1D5D84 71D5A2F560DE370FC12C29BBC17D96F4859AFBFCED53892392655C1A096BC5FF 295D6F6CF0375F79F9A308EBC193B3403FA87DB488586F5A273F70354249F8AD FC27D5975A0B1B0F856F57DD5839CD081EFDE7A6FC228A5DDBDB57EF4BF1A9C3 EAAD310F738AB2A1388F16D16D0980C377E5F82687449180DAD60E0F7B5D6F3F D71FDF54F494CBCD273990A741FFA9A03F14266067D928A32B40A6B1746F14B6 60D74FF5AE314EA7D22B9A2B03DF5D512E6A721979BCEB8D4440EFE85EF77FC3  
IPs
194.180.224.87 192.169.69.25 195.69.140.147 195.22.153.143 173.239.8.164 185.209.1.124 18.221.107.58 23.253.46.64 111.118.215.98 79.124.8.8 192.185.129.96 103.129.98.58 103.129.98.58 208.91.198.102 104.27.180.26 204.11.56.48 104.24.124.73 66.96.149.17 67.225.140.132 104.18.33.92  
Domains
gooddns.ir isns.net parkingcrew.net abokiisback.duckdns.org future--seafood.com linkk-my.com babaseoa.com hfktichen.com shoptrustup.su birn.xyz mflogistics-my.com afcompresors.com www.proxyocean.com majul.com joovy.ga gahyqah.com ggwp.emptiness.tk berkanenow.com f08080.com go-upload.ru[/vc_wp_text][/vc_column][vc_column width="1/6"][vc_raw_js]JTNDJTIxLS0lMjBHbyUyMHRvJTIwd3d3LmFkZHRoaXMuY29tJTJGZGFzaGJvYXJkJTIwdG8lMjBjdXN0b21pemUlMjB5b3VyJTIwdG9vbHMlMjAtLSUzRSUwQSUzQ3NjcmlwdCUyMHR5cGUlM0QlMjJ0ZXh0JTJGamF2YXNjcmlwdCUyMiUyMHNyYyUzRCUyMiUyRiUyRnM3LmFkZHRoaXMuY29tJTJGanMlMkYzMDAlMkZhZGR0aGlzX3dpZGdldC5qcyUyM3B1YmlkJTNEcmEtNWRmY2RiZDcwMzY0OTU0YyUyMiUzRSUzQyUyRnNjcmlwdCUzRQ==[/vc_raw_js][/vc_column][/vc_row][vc_row gap="4" css=".vc_custom_1602842773055{margin-top: 30px !important;padding-right: 15px !important;padding-left: 15px !important;}"][vc_column width="1/6" css=".vc_custom_1585663495305{padding-top: 40px !important;}"][vc_raw_html]JTNDc2NyaXB0JTIwc3JjJTNEJTIyaHR0cHMlM0ElMkYlMkZ1bnBrZy5jb20lMkYlNDBsb3R0aWVmaWxlcyUyRmxvdHRpZS1wbGF5ZXIlNDBsYXRlc3QlMkZkaXN0JTJGbG90dGllLXBsYXllci5qcyUyMiUzRSUzQyUyRnNjcmlwdCUzRSUwQSUzQ2xvdHRpZS1wbGF5ZXIlMjBzcmMlM0QlMjJodHRwcyUzQSUyRiUyRmFzc2V0czgubG90dGllZmlsZXMuY29tJTJGcGFja2FnZXMlMkZsZjIwX0puQWNZaC5qc29uJTIyJTIwJTIwYmFja2dyb3VuZCUzRCUyMnRyYW5zcGFyZW50JTIyJTIwJTIwc3BlZWQlM0QlMjIwLjUlMjIlMjAlMjBzdHlsZSUzRCUyMndpZHRoJTNBJTIwMTAwcHglM0IlMjBoZWlnaHQlM0ElMjAxMDBweCUzQiUyMiUyMCUyMGxvb3AlMjAlMjBhdXRvcGxheSUzRSUzQyUyRmxvdHRpZS1wbGF5ZXIlM0U=[/vc_raw_html][/vc_column][vc_column width="1/3"][vc_custom_heading text="Be informed in your Inbox" font_container="tag:h1|text_align:left" google_fonts="font_family:Roboto%3A100%2C100italic%2C300%2C300italic%2Cregular%2Citalic%2C500%2C500italic%2C700%2C700italic%2C900%2C900italic|font_style:700%20bold%20regular%3A700%3Anormal" link="url:https%3A%2F%2Fmailchi.mp%2Ff7b002ac98b5%2Fcloudsek-mail-optin|title:Subscription%20Form%20-%20CloudSEK||"][vc_column_text]

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

[/vc_column_text][vc_btn title="Subscribe now" link="url:https%3A%2F%2Fmailchi.mp%2Ff7b002ac98b5%2Fcloudsek-mail-optin|||"][/vc_column][vc_column width="1/6"][vc_raw_html]JTNDc2NyaXB0JTIwc3JjJTNEJTIyaHR0cHMlM0ElMkYlMkZ1bnBrZy5jb20lMkYlNDBsb3R0aWVmaWxlcyUyRmxvdHRpZS1wbGF5ZXIlNDBsYXRlc3QlMkZkaXN0JTJGbG90dGllLXBsYXllci5qcyUyMiUzRSUzQyUyRnNjcmlwdCUzRSUwQSUzQ2xvdHRpZS1wbGF5ZXIlMjBzcmMlM0QlMjJodHRwcyUzQSUyRiUyRmFzc2V0czMubG90dGllZmlsZXMuY29tJTJGcGFja2FnZXMlMkZsZjIwXzZQbkxBRi5qc29uJTIyJTIwJTIwYmFja2dyb3VuZCUzRCUyMnRyYW5zcGFyZW50JTIyJTIwJTIwc3BlZWQlM0QlMjIwLjUlMjIlMjAlMjBzdHlsZSUzRCUyMndpZHRoJTNBJTIwMTAwcHglM0IlMjBoZWlnaHQlM0ElMjAxMDBweCUzQiUyMiUyMCUyMGxvb3AlMjAlMjBhdXRvcGxheSUzRSUzQyUyRmxvdHRpZS1wbGF5ZXIlM0U=[/vc_raw_html][/vc_column][vc_column width="1/3"][vc_custom_heading text="Join the Discussions" font_container="tag:h1|text_align:left" google_fonts="font_family:Roboto%3A100%2C100italic%2C300%2C300italic%2Cregular%2Citalic%2C500%2C500italic%2C700%2C700italic%2C900%2C900italic|font_style:700%20bold%20regular%3A700%3Anormal" link="url:https%3A%2F%2Fcommunity.xvigil.com|title:XVigil%20Community|target:_blank"][vc_column_text]

Discuss your way into our Community about these threats and stay Vigilant and informed.

[/vc_column_text][vc_btn title="Discuss now" link="url:https%3A%2F%2Fcommunity.xvigil.com"][/vc_column][/vc_row]

Table of Contents

Request an easy and customized demo for free