Table 1: List of examples that LokiBot has the capability to steal from.
In the Wild
LokiBot has always been seen at Cofense as one of the most popular malware families used by threat actors. Due to its simplistic nature and usage, low-skill threat actors can use LokiBot for a variety of malicious purposes. In 2019 up until around 2021, LokiBot would often be the most common malware family, followed by Agent Tesla Keylogger. At the time of this report, other malware families have appeared more often, and therefore pushed LokiBot down in the rankings. However, LokiBot is still in the top five malware families seen at Cofense. Figure 2 shows the percentage of LokiBot malware seen among other malware families in our Active Threat Reports (ATR), and although there was a small dip over the past year and a half, LokiBot has remained around eight percent of all malware seen each month.
Figure 2: Loki Bot’s relative value seen at Cofense between January 2022 and July 2023.
Delivery Mechanisms
LokiBot is often seen by itself when it is delivered via email, however, as can be seen in Figure 2, there is still quite a large amount of LokiBot that is accompanied by a delivery mechanism. Out of the delivery mechanisms seen by Cofense, an overwhelming 82% of LokiBot accompanied by a delivery mechanism is delivered by CVE-2017-11882. However, out of all the LokiBot samples seen by Cofense, over half of the LokiBots are seen delivered as a direct attachment.
Figure 3: Delivery Mechanisms used to deliver Loki Bot between January 2022 and July 2023.
Very rarely will LokiBot be delivered via embedded URLs or other forms of delivery mechanisms except for CVE-2017-11882, such as Visual Basic Scripts (VBS) or Windows Shortcut File (LNK), as just over one percent of LokiBot samples were seen to be delivered via both delivery mechanisms combined between January 2022 to July 2023.
Behavior
LokiBot has a very straightforward and simplistic way of behaving. Once LokiBot has been downloaded and run, LokiBot will unpack itself onto the system. From there, this malware will start collecting sensitive information from each of the programs it supports gathering information from. Once LokiBot has exhausted all the possible applications that can give the sensitive data, as well as any extra additions such as keystroke logging, it will create a customized HTTP packet and send it to the C2, as seen in Figure 4. As LokiBot is gathering the information into an HTTP packet, some versions of LokiBot will start to maintain persistence, while others may continue to run and occasionally connect in case any new credentials are stored on the machine.
Figure 4: Example of an HTTP POST request from a computer infected with LokiBot.
This specific link is the final destination, where the information is presented to the threat actor. If one were to visit the page, they would be greeted with a captcha as well as a login page as seen in Figure 5.
Figure 5: Example of a LokiBot C2 Authentication Panel.
Detection and Hunting
LokiBot heavily depends on connecting to its C2, and therefore makes detection generally easy to spot. Due to the low volume of embedded URLs delivering LokiBot, the primary way to prevent LokiBot from being installed on a system is to not allow unknown downloads from suspicious emails. Most anti-virus software is good at catching LokiBot due to its simplicity, but there are also other ways to spot if LokiBot is already installed on a system.
User Agent
LokiBot can also be identified by a specific string found in the application as well as the network traffic. LokiBot will always use the User Agent “Mozilla/4.08 (Charon; Inferno)” to connect to its C2s, as seen in Figure 4.
Network Traffic
As previously mentioned, LokiBot will use the User Agent “Mozilla/4.08 (Charon; Inferno)” to post the credentials to its C2 Panel. LokiBot primarily only uses HTTP to communicate to its C2. There are a variety of ways the URL can be formatted, but the file that the link is accessing is typically followed by a PHP panel or ends with a “p=” followed by a unique set of numbers to differentiate the systems that LokiBot has infected. An example of this that Cofense has previously reported is:
“hxxp216[.]128[.]145[.]196/~wellseconds/?p=”
A more common example is the other IOC mentioned, which is the PHP panel whose URL looks similar to:
“hxxp194[.]55[.]224[.]9/fresh1/five/fre[.]php”.
Source: https://cofense2022stg.wpengine.com/blog/lokibot-phishing-malware-baseline/