Lokibot Malware exploits spotted in the wild

By

 SonicWall Capture Labs Threats Research Team has spotted Lokibot malware attacks in the wild. This malware is delivered through spam emails . Lokibot is an info stealer and tries to steal credentials stored in registry, files and browser.

It also reads sensitive data of Google chrome, Firefox, Internet Explorer. It tries to connect to attacker controller server over HTTP and tries to POST the stolen information from the victim’s computer.

Infection Cycle

User is lured into opening malicious attachment in spam email. This attachment is lokibot malware which upon execution steals sensitive user data like username password in browser and registry.

This malware shows following behavior :

  • Tries to read sensitive data of: LinasFTP, Mozilla Firefox, Google Chrome, QtWeb Internet Browser, Internet Explorer / Edge.
  • Reads installed programs by enumerating the SOFTWARE registry key.
  • Trying to read sensitive data of web browsers like Firefox, Google Chrome, Internet Explorer
  • Trying to read sensitive data from ftp applications through registry like LinsaFTP
  • Trying to read sensitive email data from Microsoft Outlook

 

The malware sends the information to attacker-controlled server [185.250.240.84]

The malware has embedded executable stored as hex formatted string.

It also downloads file from hxxp://185.250.240.84/xxxx/[filename].exe

Sonicwall Capture Labs provides protection against this threat with the following signature:

  • Lokibot.XS
  • Lokibot.XS_2
  • LokiMD
  • LokiBot.DN
  • Lokibot.SI

This threat is also detected by SonicWALL Capture ATP w/RTDMI

IoCs

b94f1e79967593212bcc4d87d7cb1126c7058b29c5e72192be4c723333c50827

1c60762ed20269d0e92549ab12fe71dfcf014187339457c84a6d0bf6cea17c8f

691c65e4fb1d19f82465df1d34ad51aaeceba14a78167262dc7b2840a6a6aa87

4aba53fe8e5e914bd4ce329202ab254e0e428851c8fda399a0cc64b848cee165

2e0803bf1552657d7cf082bb1fd8b605cea4b8734639f18b127d619341e960a0

03bb2466c3be7ac4fd3e8b970731ab5627da89b0653dc9449e7faddddb643934

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.