Threat Research

LokiBot Phishing Malware Baseline | Cofense

Securonix

LokiBot remains one of Cofense’s top malware families, frequently used by threat actors for data theft and credential harvesting, with around 8% of observed malware in Cofense’s Threat Reports. The article details LokiBot’s delivery primarily via CVE-2017-11882, its information-gathering and keystroke-logging behavior, HTTP-based C2 communication to a PHP panel, and practical hints for detection and hunting. #LokiBot #Cofense #CVE-2017-11882 #CharonInferno #PHPPanel

Keypoints

  • LokiBot continues to be a popular malware family at Cofense, historically among the top detections and still in the top five.
  • Delivery is primarily via email, with 82% of LokiBot samples using CVE-2017-11882 as the delivery vector and many as direct attachments.
  • Embedded URLs are rare delivery methods for LokiBot, with CVE-2017-11882 and small fractions involving VBS or LNK files.
  • Behaviorally, LokiBot unpacks after download, collects data from supported apps, may log keystrokes, builds a custom HTTP packet, and sends it to its C2.
  • The C2 uses HTTP for communication, often with a PHP panel, and the User Agent string Mozilla/4.08 (Charon; Inferno).
  • Prevention and detection hinge on blocking unknown email attachments, with antivirus typically catching LokiBot due to its simplicity.

MITRE Techniques

  • [T1566.001] Phishing – Attachment – LokiBot is delivered via email, often as a direct attachment. “LokiBot is often seen by itself when it is delivered via email”
  • [T1203] Exploitation for Client Execution – CVE-2017-11882 used to deliver LokiBot in many cases. “82% of LokiBot accompanied by a delivery mechanism is delivered by CVE-2017-11882”
  • [T1059.005] Visual Basic – Scripting – Delivery via Visual Basic Scripts (VBS) as part of (rare) delivery methods. “Visual Basic Scripts (VBS) or Windows Shortcut File (LNK)”
  • [T1071.001] Web Protocols – The malware communicates over HTTP to its C2 panels. “primarily only uses HTTP to communicate to its C2”
  • [T1041] Exfiltration Over C2 Channel – LokiBot builds a customized HTTP packet and sends it to the C2. “As LokiBot is gathering the information into an HTTP packet, … send it to the C2”
  • [T1005] Data from Local System – LokiBot collects sensitive information from the programs it supports. “collecting information from each of the programs it supports gathering information from”
  • [T1550] Pre-Exploitation: Target Modification – Persistence is mentioned as a capability in some variants, indicating a potential for startup persistence (implicit in behavior). “some versions of LokiBot will start to maintain persistence”

Indicators of Compromise

  • [URL] context – C2 delivery endpoints used for LokiBot communications: hxxp216[.]128[.]145[.]196/~wellseconds/?p=, hxxp194[.]55[.]224[.]9/fresh1/five/fre[.]php
  • [User-Agent] context – HTTP traffic uses the User Agent string Mozilla/4.08 (Charon; Inferno)

Read more: https://cofense2022stg.wpengine.com/blog/lokibot-phishing-malware-baseline/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint