The notorious credential-stealing malware LokiBot has made a comeback in a sophisticated multi-stage operation aimed at extracting sensitive information from various applications. This campaign, identified for its clever mix of old and new tactics, uses a JScript email attachment to initiate a stealthy sequence of events, ultimately leading to the exfiltration of confidential data from the victim’s device.
LokiBot’s Evolving Tactics
Initially advertised on underground forums in 2015, LokiBot’s source code leak in 2018 led to the emergence of numerous variants, extending its capabilities to Android devices and enabling functions like keylogging and remote access. The current campaign underscores the malware’s evolution, incorporating both tried-and-true methods and novel evasion strategies to bypass security systems.
Security researchers from LevelBlue have highlighted the meticulous planning behind each stage of this campaign, designed to minimize detection and erase traces if necessary. They reported to Cyber Security News that the malware is predominantly distributed through malicious email attachments, a method that continues to be prevalent due to its simplicity and effectiveness.
Technical Breakdown of the Attack
The attack commences when a recipient opens a phishing email containing a JScript file. Once executed, the script leverages the Windows Script Host to run, employing obfuscation techniques to hinder analysis. The JScript then unpacks a Base64-encoded PowerShell script, executing it to further the infection process.
This PowerShell stage decrypts a .NET assembly with a hard-coded XOR key, which is then loaded directly into memory. The assembly, protected by the ConfuserEx obfuscator, functions as an injector, deploying the LokiBot payload into a legitimate Windows process, thus evading detection.
Implications and Preventative Measures
LokiBot poses a severe threat by capturing credentials from over a hundred applications, including web browsers, cryptocurrency wallets, and email clients. The stolen data is compressed and sent to a command-and-control server, risking account takeovers and data breaches.
To counteract these threats, organizations should implement robust security measures, such as blocking script-based email attachments, monitoring unusual activity around processes like aspnet_compiler.exe, and utilizing behavior-based endpoint protection to detect malicious patterns. Regular updates and staff awareness training can further mitigate these risks.
In conclusion, the resurgence of LokiBot in this advanced campaign highlights the persistent and evolving nature of cyber threats. Staying informed and vigilant is crucial for organizations to safeguard against such sophisticated malware incursions. Continuous monitoring and adapting to emerging tactics will be essential in the fight against cybercrime.
