Federal cybersecurity officials are warning enterprises and government agencies about a major increase in the volume of malicious activity using the LokiBot trojan, one of the more effective pieces of information-stealing malware in circulation.
LokiBot has been in use for about four years and it originally targeted Android devices, but it has evolved to target Windows machines, as well, and its capabilities and tactics have morphed over time, too. At one point it was mostly just displaying ads on infected devices, but it quickly shifted into the more lucrative credential-stealing mode. LokiBot is normally distributed through spam email messages with either malicious attachments, but is sometimes installed via compromised or malicious websites, too.
On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) said that the federal government had seen a marked increase in LokiBot activity over the last couple of months.
“CISA has observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020. Throughout this period, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected persistent malicious LokiBot activity,” the CISA alert says.
“LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.”
The LokiBot malware is designed to find and snatch as much sensitive information as possible from infected devices, including usernames and passwords, banking credentials, cryptocurrency wallets, and anything else of interest. More recently, LokiBot also has been seen installing a backdoor on infected machines, giving the operators persistent access to those computers. Analyses of the various versions of LokiBot show that the malware employs some tactics to keep its actions hidden on infected machines.
“Once executed, Lokibot unpacks the main binary into memory using hollow process injection to insert itself into a legitimate Microsoft Windows application to hide its activities. Lokibot also used an infected system machine global unique identifier (GUID) value to generate a mutex (an MD5 hash) that acted as a flag to prevent itself from infecting the same machine again. Lokibot collects information and credentials from multiple applications, including but not limited to Mozilla Firefox, Google Chrome, Thunderbird, FTP and SFTP applications,” an analysis of LokiBot by Infoblox says.
LokiBot has been used in a wide variety of different attack campaigns by several groups. Some attacks have been broad phishing runs, while others have been more targeted, including a spear phishing attack last year that targeted a manufacturing company in the U.S. Earlier this year, a separate spear phishing campaign was using COVID-19 as a lure to install LokiBot, as well.