LokiBot Description

Type: Trojan

LokiBot ScreenshotLokiBot is a threat that is used to collect information from affected computers. LokiBot includes a keylogger component that can be used to collect the victim's passwords and login data and then sends them to an external server, where the criminals can then access the victim's data and online accounts. The main way in which LokiBot is being distributed is through the use of spam email campaigns, which will often use corrupted email attachments to deliver threats like LokiBot to the victims' computers. Once LokiBot is installed, LokiBot is capable of collecting a wide variety of usernames, passwords, and numerous other components, as well as information related to cryptocurrency wallets and other online accounts.

How LokiBot is Distributed

The most common way in which LokiBot is used to carry out attacks is by exploiting a vulnerability in Windows known as CVE-2017-11882. This is an exploit that was patched by Microsoft recently, but there also are many computer users that have not updated their computers so that they may still be vulnerable to the exploit being used to deliver LokiBot. The method used to deliver LokiBot, which involves an MSI installer, has been used in the past to deliver low-grade threats and Potentially Unwanted Program (PUPs), such as adware and similar threats. However, it seems that this method is being leveraged by criminals to deliver m severe malware like LokiBot.

This Week In Malware Episode 25 Part 1: LokiBot Ransomware Attacks On The Rise Stealing Passwords & Cryptocurrency Wallets

Which is the Best Way to Handle the LokiBot Attacks

Since the most common way in which LokiBot is delivered (as well as many other threats) is via spam email attachments, learning to recognize these tactics and reacting to them appropriately is essential in dealing with attacks like LokiBot and preventing their impact. However, a reliable security program that is fully up-to-date can help prevent LokiBot from being installed. One additional aspect of LokiBot is the fact that this particular campaign is leveraging a very specific vulnerability in Windows. Having the latest security patches can ensure that potential victims are safe from threats like this one.

The LokiBot spam campaign from which it is believed that the threat is able to spread, comes as an obfuscated .zipx archive file that unpacks the LokiBot attack. The file comes as an attachement in a spam email as shown in Figure 1 below.

Figure 1. LokiBot obvuscated RFQ -5600005870.zipx file attached to spam email message
lokibot malware spam attachement file

A Brief Explanation about the LokiBot Attack Process

The vulnerability that is being used to distribute LokiBot was patched in November 2017. However, this patch did not stop numerous criminals from using it to deliver a wide variety of threats, ranging from ransomware threats to several data collecting Trojans. The version of LokiBot being distributed is a cracked version of this Trojan, meaning that a second group of criminals has collected this threat from its original creators. LokiBot is capable of collecting login credentials, data from the infected computes, cryptocurrency wallet login credentials, and track keystrokes and other actions executed on the infected computers. There are several components involved in the LokiBot attack, and they are very heavily obfuscated, meaning that it is very difficult for PC security researchers to study their contents or determine with any degree of certainty the LokiBot's code or some essential aspects of the attack.

Preventing LokiBot Attacks

Since LokiBot is commonly delivered using phishing email messages, implementing security measures involved with this content kind in small businesses and organizations targeted in these attacks can help mitigate their impact. Learning to recognize these tactics is often about learning to understand the context and see warning signs that may be present in an email message received on an affected computer. Grammar error and misspelled content is often a cue for computer users to realize that the spam email message is not legitimate, although many of these can be crafted to be highly convincing. However, it is essential to use strong security software to protect your computer from attacks, and a reliable security product that is updated, which will stop threats like LokiBot.

Technical Information

File System Details

LokiBot creates the following file(s):
# File Name MD5 Detection Count
1 e2d21499979612e09f8df32bb97bc4e068926abfdff3bf6e3d451012dabe502d.exe e07601974ced5b715dfde8e880f0e096 4
2 w32host.exe bde54939438664911981d525b12329a7 3
3 RFQ -5600005870.zipx N/A
4 RFQ -5600005870.exe N/A
5 file.exe 6c53237e57f4e4741d94ee4516850ea7 0
6 ssx.exe f4f7713fec294c7344655c8ddded266b 0
More files

Registry Details

LokiBot creates the following registry entry or registry entries:
Regexp file mask
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\vscdme.vbe

Related Posts

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.