Threat Research

Spike in LokiBot Activity During Final Week of 2022

Securonix

Unit 42 researchers uncover a LokiBot distribution campaign delivered via business email compromise (BEC) phishing emails, with an ISO payload that ultimately drops LokiBot. The analysis covers the loader and obfuscation, a persistence mechanism, and an HTTP-based C2 channel that exfiltrates credentials from browsers, email clients, and other apps. #LokiBot #BEC #ThreatFox #Unit42

Keypoints

  • LokiBot is distributed through BEC phishing emails delivering a ZIP containing an ISO that holds the final payload.
  • The ISO delivery helps bypass common malspam detection that targets EXE/DLL or Office files.
  • The loader is an obfuscated .NET file using process hollowing to inject into aspnet_compiler.exe.
  • Obfuscation relies on API hashing to retrieve APIs from loaded libraries.
  • Persistence is achieved by copying itself to APPDATA and setting a Run key in the registry.
  • LokiBot collects credentials from multiple applications (browsers, email apps, etc.) and exfiltrates via HTTP POST to a C2 server.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment delivered via a BEC email with a ZIP containing an ISO; “the attachment contained a LokiBot information stealer.”
  • [T1055.012] Process Hollowing – The loader uses process hollowing to inject a malicious PE file into the legitimate process called aspnet_compiler.exe; “process hollowing was used to inject a malicious PE file into the legitimate process called aspnet_compiler.exe.”
  • [T1027] Obfuscated/Compressed Files and Information – The LokiBot sample uses API hashing to retrieve APIs from libraries; “This LokiBot sample only uses one code obfuscation technique: API hashing.”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Persistence via Run key in HKCU, after copying itself to APPDATA; “creates and sets a new value for the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRun.”
  • [T1071.001] Web Protocols – HTTP-based C2 communications; “LokiBot exfiltrates information to the C2 through the HTTP protocol” and “an HTTP POST request”.
  • [T1555.003] Credentials from Web Browsers – Exfiltrates browser credentials; “Browsers: Safari, Internet Explorer, Firefox and Chromium-based browsers.”
  • [T1555.002] Credentials from Email Clients – Exfiltrates credentials from email clients as part of data theft; “Email applications” in the stealing features.

Indicators of Compromise

  • [Hash] LokiBot-related file hashes – 4edd01345f58b9cc04a88ca15d6b82895f44f5b9cb51ad63b809de09029670ac, 8a5a024272361bb1ae12860c033bb52685d7b0ea3bce5fac46439f3f3ad36a84, and 1 more hashes
  • [Domain] LokiBot infrastructure domains – efvsx.gq, ckav[.]ru
  • [IP] LokiBot infrastructure IP – 188.114.96.13
  • [File name] LokiBot executable – LokiBot.exe

Read more: https://unit42.paloaltonetworks.com/lokibot-spike-analysis/