Ready to Start Your Career?

Detecting The Infamous LokiBot Malware Virus

Owen Dubiel's profile image

By: Owen Dubiel

May 19, 2021

LokiBot is a nasty little malware virus that continues to advance as it ages. Lokibot is known for being an advanced credential and crypto-wallet stealer. This malware virus has been observed in several different industries and continues to refine and change its techniques. It was first seen in 2015 and has had over 12 confirmed mainstream appearances since then. Disgusting itself as a Video game launcher (Fortnite) and various Android libraries, LokiBot will continue to keep Security researchers on their toes. This article will take a deep look into some of the technical details and the different techniques it has used. Lastly, a search query will be provided to detect traces of this malware activity within your Azure Sentinel instance.

The Technicals

LokiBot is an advanced keylogging solution that monitors both desktop and browser activity for keystrokes. It has also been observed that it can establish a back door to deliver further payloads in certain instances. It has primarily targeted Windows Operating systems and then further spread itself on compromised systems via email or malicious web links.

Observed techniques used

Its activities continue to grow and transform. The malware virus consistently lives within four main realms of the Mitre attack framework: Defense evasion, Credential access, Discovery, and exfiltration. The following are only some of the known techniques that have been observed in the wild.

  • Gather supporting data about a host like domain name and username
  • Base64 encoding
  • Multiple different packing methods for obfuscation
  • Initiate command and control to exfiltrate
  • Process injections into vbc.exe
  • Keylogging input capture
  • Use of HTTP for Command and Control
  • Can be delivered over spear-phishing email campaigns as an attachment
  • Can copy itself to hidden directories to establish persistence

Keeping the above techniques in mind, you can see why LokiBot has earned its name. It is sneaky, stealthy, and can do anything it wants, just like the supervillain god Loki. The key to detecting a severe malware virus-like is understanding all the possible actions it can take, what usually are targets, and then mapping this attack style out in the form of a high severity alert within your SIEM solution.

The search query for Azure Sentinel

The below search query has been drafted to accommodate the Azure sentinel scripting language. Parts of this search may need to be tweaked depending on if additional logic is required to operate in your Azure instance. This search includes the known hashes used by LokiBot and the search logic around calculating threshold, frequency, and several other important factors involved with detecting the malware virus.

{ "displayName": "LokiBot Trojan Detector (Sysmon). by Alexandr Yampolskyi, SOC Prime", "description": "LokiBot Trojan Detector. Technique: T1059,T1204. Author: Alexandr Yampolskyi, SOC Prime. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://tdm.socprime.com/tdm/info/0.", "severity": "high", "enabled": true, "query": "SysmonEvent | where ((EventID == 1 and ((CommandLine == 'GET /bobby/' or CommandLine == 'POST /bobby/Panel/') or (Hashes == '3C4BE617FDA78DA05B38F4EE52121E99' or Hashes == '7FB5A88768D7ECE242DBD4B30EDEFF0C' or Hashes == '14A4DFFE0105A7DEF2A1EFF32899A9AC' or Hashes == 'E69245E9685CB204105E69C424F304CC' or Hashes == '75CCD03BB4934490A9F599A15381F43D' or Hashes == '68BEFE15006189CE8215371935F8E720' or Hashes == '05869152534B238D25051F7718FDB382' or Hashes == '3DFA31D85482009479FEAFD5AF7E818A' or Hashes == 'f9b5535bffd5c0525cb1e59bf79f06d925448b12f106fe1e972473fab4f082fa' or Hashes == '4bf2658e0f69865c977cabd24b8dccca38ffc09a17b3367e5f702d2993cf00f7' or Hashes == 'ed5550d3047903d3e09363f90b6d49f519d1484af4e528fd95f1e5f3e5a008b2' or Hashes == '5b1b12f580dcc0219e88887cbe5af7f2' or Hashes == '51c86d4fe87f490e4da5e8035645e548' or Hashes == 'c94d4d0a893a786d51e4acbb66c3cd29' or Hashes == '007b3818d95f328376d73f3714c49154' or Hashes == 'D3E758016C147B5035E20D22E6888E6F' or Hashes == '09ef7c56d36365fd24d45660c3246a0a' or Hashes == '42844D8957C46DD47EFFEC1C54273EFC' or Hashes == 'D4BBE7685E53F6B788F65268BEA485C3' or Hashes == 'B18F0AD651B48B3DEC184B4F95BFCAE3'))) or (EventID == 11 and (TargetObject endswith 'F63AAA'))) | extend AccountCustomEntity = UserName | extend HostCustomEntity = Computer", "queryFrequency": "12H", "queryPeriod": "12H", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "suppressionDuration": "12H", "suppressionEnabled": true, "tactics": [ "Execution" ] }

It is important to know the reference and Github link within the search. It may be a good idea to check back into that link every often to ensure you have the latest update on the search string. Since a big part of detecting the LokiBot is around discovering known hashes, over time, new hashes need to be added to this search to keep it relevant.

Another protip would be to review the parameters set at the bottom of this search to ensure they are accurate to your use case. For example, if you want just a dashboard displaying the results of this over 24 hours, you may need to change the period or threshold value. If you decide you want to make this into an alert, you may want to build logic that triggers one occurrence instead of a period.

Conclusion

Improving overall security is the end goal for any professional in the industry. By taking the above steps to identify further and rectify the LokiBot malware virus, you are eliminating a severe threat from targeting your organization's assets. Check out Cybrary's arsenal of course material surrounding malware analysis if interested in understanding more about how to identify specific malware strains in the wild.

Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry