7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
AI Score
Confidence
High
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise frameworks for all referenced threat actor techniques.
This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions by the Multi-State Information Sharing & Analysis Center (MS-ISAC).
CISA has observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020. Throughout this period, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected persistent malicious LokiBot activity. LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.
LokiBot—also known as Lokibot, Loki PWS, and Loki-bot—employs Trojan malware to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials.
Figure 1: MITRE ATT&CK enterprise techniques used by LokiBot
Since LokiBot was first reported in 2015, cyber actors have used it across a range of targeted applications, including the following.
According to MITRE, LokiBot uses the ATT&CK techniques listed in table 1.
_Table 1: LokiBot ATT&CK techniques _
Technique
|
Use
—|—
System Network Configuration Discovery [T1016]
|
LokiBot has the ability to discover the domain name of the infected host.
Obfuscated Files or Information [T1027]
|
LokiBot has obfuscated strings with base64 encoding.
Obfuscated Files or Information: Software Packing [T1027.002]
|
LokiBot has used several packing methods for obfuscation.
System Owner/User Discovery [T1033]
|
LokiBot has the ability to discover the username on the infected host.
Exfiltration Over C2 Channel [T1041]
|
LokiBot has the ability to initiate contact with command and control to exfiltrate stolen data.
Process Injection: Process Hollowing [T1055.012]
|
LokiBot has used process hollowing to inject into legitimate Windows process vbc.exe.
Input Capture: Keylogging [T1056.001]
|
LokiBot has the ability to capture input on the compromised host via keylogging.
_Application Layer Protocol: Web Protocols _[T1071.001]
|
LokiBot has used Hypertext Transfer Protocol for command and control.
System Information Discovery [T1082]
|
LokiBot has the ability to discover the computer name and Windows product name/version.
User Execution: Malicious File [T1204.002]
|
LokiBot has been executed through malicious documents contained in spearphishing emails.
Credentials from Password Stores [T1555]
|
LokiBot has stolen credentials from multiple applications and data sources including Windows operating system credentials, email clients, File Transfer Protocol, and Secure File Transfer Protocol clients.
Credentials from Password Stores: Credentials from Web Browsers [T1555.003]
|
LokiBot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and Chromium and Mozilla Firefox-based web browsers.
Hide Artifacts: Hidden Files and Directories [T1564.001]
|
LokiBot has the ability to copy itself to a hidden file and directory.
CISA developed the following Snort signature for use in detecting network activity associated with LokiBot activity.
alert tcp any any -> any $HTTP_PORTS (msg:“Lokibot:HTTP URI POST contains ‘/*/fre.php’ post-infection”; flow:established,to_server; flowbits:isnotset,.tagged; content:“/fre.php”; http_uri; fast_pattern:only; urilen:<50,norm; content:“POST”; nocase; http_method; pcre:“//(?:alien|loky\d|donep|jemp|lokey|new2|loki|Charles|sev7n|dbwork|scroll/NW|wrk|job|five\d?|donemy|animation\dkc|love|Masky|v\d|lifetn|Ben)/fre\.php$/iU”; flowbits:set,.tagged;classtype:http-uri; metadata:service http; metadata:pattern HTTP-P001,)
CISA and MS-ISAC recommend that federal, state, local, tribal, territorial government, private sector users, and network administrators consider applying the following best practices to strengthen the security posture of their organization’s systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.
For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.
Center for Internet Security Security Event Primer – Malware: <https://www.cisecurity.org/white-papers/security-event-primer-malware/>
MITRE ATT&CK – LokiBot: https://attack.mitre.org/software/S0447/
MITRE ATT&CK for Enterprise: https://attack.mitre.org/matrices/enterprise/
[1] Trend Micro: LokiBot Impersonates Popular Game Launcher and Drops Compiled C# Code File
[2] Fortinet: Newly Discovered Infostealer Attack Uses LokiBot
[3] ZDNet: LokiBot Malware Now Hides its Source Code in Image Files
[4] SecurityWeek: LokiBot and NanoCore Malware Distributed in ISO Image Files
[5] Netskope: LokiBot & NanoCore being distributed via ISO disk image files
[6] Trend Micro: Attack Using Windows Installer Leads to LokiBot
[7] BleepingComputer: LokiBot Android Banking Trojan Turns Into Ransomware When You Try to Remove It
[8] Fortinet: New Loki Variant Being Spread via PDF File
[9] Check Point: Preinstalled Malware Targeting Mobile Users
[11] New Jersey Cybersecurity & Communications Integration Cell: LokiBot
September 22, 2020: Initial Version|September 23, 2020: Added hyperlink to MS-ISAC
attack.mitre.org/versions/v7/matrices/enterprise/
attack.mitre.org/versions/v7/matrices/enterprise/
attack.mitre.org/versions/v7/software/S0447/
attack.mitre.org/versions/v7/software/S0447/
attack.mitre.org/versions/v7/techniques/T1016
attack.mitre.org/versions/v7/techniques/T1027/
attack.mitre.org/versions/v7/techniques/T1027/002/
attack.mitre.org/versions/v7/techniques/T1033
attack.mitre.org/versions/v7/techniques/T1041/
attack.mitre.org/versions/v7/techniques/T1055/012/
attack.mitre.org/versions/v7/techniques/T1056/001
attack.mitre.org/versions/v7/techniques/T1056/001
attack.mitre.org/versions/v7/techniques/T1071/001
attack.mitre.org/versions/v7/techniques/T1082
attack.mitre.org/versions/v7/techniques/T1204/002/
attack.mitre.org/versions/v7/techniques/T1204/002/
attack.mitre.org/versions/v7/techniques/T1546/008/
attack.mitre.org/versions/v7/techniques/T1555/
attack.mitre.org/versions/v7/techniques/T1555/
attack.mitre.org/versions/v7/techniques/T1555/003
attack.mitre.org/versions/v7/techniques/T1555/003
attack.mitre.org/versions/v7/techniques/T1564/001/
blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/
blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/
blog.trendmicro.com/trendlabs-security-intelligence/lokibot-impersonates-popular-game-launcher-and-drops-compiled-c-code-file/
blog.trendmicro.com/trendlabs-security-intelligence/lokibot-impersonates-popular-game-launcher-and-drops-compiled-c-code-file/
csrc.nist.gov/publications/detail/sp/800-83/rev-1/final
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=LokiBot%20Malware%20+https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-266a
us-cert.cisa.gov/ncas/tips/ST04-002
www.bleepingcomputer.com/news/security/loki-trojan-infects-android-libraries-and-system-process-to-get-root-privileges/
www.bleepingcomputer.com/news/security/loki-trojan-infects-android-libraries-and-system-process-to-get-root-privileges/
www.bleepingcomputer.com/news/security/lokibot-android-banking-trojan-turns-into-ransomware-when-you-try-to-remove-it/
www.bleepingcomputer.com/news/security/lokibot-android-banking-trojan-turns-into-ransomware-when-you-try-to-remove-it/
www.cisecurity.org/ms-isac/
www.cisecurity.org/white-papers/security-event-primer-malware/
www.cyber.nj.gov/threat-center/threat-profiles/android-malware-variants/lokibot
www.cyber.nj.gov/threat-center/threat-profiles/android-malware-variants/lokibot
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-266a&title=LokiBot%20Malware%20
www.fortinet.com/blog/threat-research/new-infostealer-attack-uses-lokibot#:~:text=The%20FortiGuard%20Labs%20SE%20team%20identified%20a%20new,manufacturing%20company%20utilizing%20the%20well%20documented%20infostealer%20LokiBot.
www.fortinet.com/blog/threat-research/new-infostealer-attack-uses-lokibot#:~:text=The%20FortiGuard%20Labs%20SE%20team%20identified%20a%20new,manufacturing%20company%20utilizing%20the%20well%20documented%20infostealer%20LokiBot.
www.fortinet.com/blog/threat-research/new-loki-variant-being-spread-via-pdf-file
www.fortinet.com/blog/threat-research/new-loki-variant-being-spread-via-pdf-file
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-266a
www.netskope.com/blog/lokibot-nanocore-iso-disk-image-files
www.netskope.com/blog/lokibot-nanocore-iso-disk-image-files
www.oig.dhs.gov/
www.securityweek.com/lokibot-and-nanocore-malware-distributed-iso-image-files
www.securityweek.com/lokibot-and-nanocore-malware-distributed-iso-image-files
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-266a
www.trendmicro.com/en_us/research/18/b/attack-using-windows-installer-msiexec-exe-leads-lokibot.html
www.trendmicro.com/en_us/research/18/b/attack-using-windows-installer-msiexec-exe-leads-lokibot.html
www.us-cert.gov/ncas/tips/ST04-002
www.us-cert.gov/ncas/tips/ST04-006
www.us-cert.gov/ncas/tips/ST04-010
www.us-cert.gov/ncas/tips/ST05-012
www.us-cert.gov/ncas/tips/ST18-271
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
www.zdnet.com/article/lokibot-information-stealer-now-hides-malware-in-image-files/
www.zdnet.com/article/lokibot-information-stealer-now-hides-malware-in-image-files/
mailto:?subject=LokiBot%20Malware%20&body=www.cisa.gov/news-events/cybersecurity-advisories/aa20-266a
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
AI Score
Confidence
High
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%