Since 2015 the trojan LokiBot has been used by cybercriminals to create backdoors into Windows machines. Its continued popularity can be partly attributed to the various and often novel ways it has been distributed in the past and the tactics it employs to infect machines. In the past researchers have discovered campaigns where the trojan was spread via steganography, the technique of hiding secret data, often in an image to avoid detection. In this instance, the data hidden was malicious code that when the image was opened a script would execute. Now hackers deploying the trojan are disguising it as a launcher for one of the world’s most popular video games, Fortnite. This new campaign was discovered by researchers at Trend Micro who previously also discovered the campaign using steganography in August 2019. It is believed that the fake launcher is distributed via a spam email campaign sent to numerous potential targets.
This has been the main primary distribution method for those looking to infect machines with LokiBot over the years and is still a very effective means of distribution. The email in all likelihood contains a file or link to the fake launcher complete with Epic Games logo, the developers of the game, for added authenticity. When launched the malware's infection routine begins with the malware dropping two separate files, a C# source code file and a .NET executable, into the app data directory of the now infected machine.
The C# source code employs two methods to evade detection by security products. The first being that by making use of C# source code it evades detection by products that rely solely on detecting executable binaries. The second tactic, often employed by other malware strains, is code obfuscation. In the case of this campaign, the obfuscation is done by adding junk code to the working code which means nothing but allows for the malware to bypass certain security measures the victim may have active on the machine. Once inside the system, the .NET file reads and compiles the C# code, before decrypting it and executing LokiBot itself on the infected machine.
This technique is often referred to as “compile after delivery” and has long been used by other malware strains to evade detection. Once the machine is infected with LokiBot the hacker now has the backdoor required to steal information, monitor activity, install other malware and carry out other malicious actions. Information targeted by LokiBot includes usernames, passwords, bank details and the contents of cryptocurrency wallets which is harvested via a keylogger.
LokiBot’s Continued Popularity
The latest LokiBot campaign continues the trend in popularity for the popular trojan. As to why the trojan is as popular as it is amongst hackers and other cybercriminals require a deeper dive into the malware's less than illustrious history. The history of LokiBot was summarised neatly by researchers at Trend Micro, stating,
“LokiBot, which has the ability to harvest sensitive data such as passwords as well as cryptocurrency information, proves that the actors behind it is invested in evolving the threat. In the past, we have seen a campaign that exploits a remote code execution vulnerability to deliver LokiBot using the Windows Installer service, a LokiBot variant that uses ISO images, and a variant with an improved persistence mechanism using steganography. Recently, we discovered LokiBot (detected by Trend Micro as Trojan.Win32.LOKI) impersonating a popular game launcher to trick users into executing it on their machines. Further analysis revealed that a sample of this variant employs a quirky, installation routine that involves dropping a compiled C# code file.”
This brief history only alludes to part of the story. Early on in LokiBot’s lifecycle, the code was leaked this allowed other hackers to develop their own iterations and add features to the malware as they saw fit. Initially, the malware was developed by someone residing in one of the old Soviet block countries and went by the name “lokistov” who was selling the malware for approximately 400 USD.
As to how the initial leak of the code occurred is unknown but it is believed that “lokistov” may have been hacked. Regardless of the how, code that was strikingly similar to the original LokiBot was surfacing on hacker forums and being sold for 80 USD. In another separate development, someone managed to patch the malware without having access to the source code, this allowed other individuals to set the domain names used for the sending and receiving of data to command and control servers under their control and not the ones initially hardcoded into the malware. To date, several versions of LokiBot exist but all have clear lineage to the original created by “lokistov”.
In defending against LokiBot a number of measures can be adopted that significantly reduce the chance of infection. Those measures include disabling macros as previous campaigns were spread through malicious documents that would rely on macros being enabled in order to run scripts and executables. As LokiBot has often relied on been distributed via spam email campaigns users should not click on links or download attachments from untrusted sources.
In the latest campaign, it can be assumed that by abusing a known and popular video game launcher the attackers intended to target younger users keen to play the game but not knowing how malware is delivered by spam emails. Social engineering on this scale is a popular tactic employed by hackers spreading other types of malware as well. By keeping security software updated users will also drastically reduce the chances of being infected.