CISA Issues Alert After Observing Surge in LokiBot Activity
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued an alert after observing a surge in LokiBot activity over the past two months. LokiBot first appeared in 2015 and is used to steal credentials and other sensitive data from victim's machines. The malware targets Windows and Android operating systems and uses a keylogger to steal usernames and passwords and monitors browser and desktop activity. LokiBot can steal credentials from multiple applications including Safari, Chrome, and Firefox web browsers, along with credentials for email accounts. The malware can also steal other sensitive information and cryptocurrency wallets. It can create backdoors on the victim's machine to allow hackers to deliver additional malicious code.
LokiBot comes in through email as a malicious attachment with links to websites in SMS and via text messaging apps. The malware establishes a connection with its Command and Control Server and steals data through HyperText Transfer Protocol (HTTP). The malware uses process hollowing to insert itself into legitimate Windows processes such as vbc.exe to evade detection. The malware can also create a duplicate of itself, which is saved to a hidden file and directory. Since July, CISA's EINSTEIN Intrusion Detection System identified a significant increase in LokiBot activity.
LokiBot has a range of techniques, which include discovering the victim's domain name, username, computer name, and Windows product/version, using obfuscated strings with base64 encoding, and several obfuscation packing methods. It can also initiate contact with the command and control server to steal sensitive data. LokiBot is sold on many different marketplaces for around $300. Because the price is cheap, it makes it a common tool to be used by a lot of hackers.
Information stealers have been popular during the COVID-19 pandemic, especially LokiBot. LokiBot was the most commonly detected information stealer in the first half of 2020, according to F-Secure. CISA recommends strengthening defenses against LokiBot and other information stealers. Use antivirus software and ensure virus definitions are up to date. Apply security patches for vulnerabilities. Disable file and printer sharing services, if it isn't possible, use strong passwords or use AD authentication. Use multi-factor authentication on accounts. Scan all software downloaded from the Internet before running or installing it.