S0447 Lokibot
Lokibot is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. Lokibot can also create a backdoor into infected systems to allow an attacker to install additional payloads.123
| Item | Value |
|---|---|
| ID | S0447 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 14 May 2020 |
| Last Modified | 11 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | |
| Lokibot has utilized multiple techniques to bypass UAC.4 | |||
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Lokibot has used HTTP for C2 communications.14 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Lokibot has used PowerShell commands embedded inside batch scripts.4 |
| enterprise | T1059.003 | Windows Command Shell | Lokibot has used cmd /c commands embedded within batch scripts.4 |
| enterprise | T1059.005 | Visual Basic | Lokibot has used VBS scripts and XLS macros for execution.4 |
| enterprise | T1555 | Credentials from Password Stores | Lokibot has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients.1 |
| enterprise | T1555.003 | Credentials from Web Browsers | Lokibot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Lokibot has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR.4 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Lokibot has the ability to initiate contact with command and control (C2) to exfiltrate stolen data.5 |
| enterprise | T1083 | File and Directory Discovery | Lokibot can search for specific files on an infected host.4 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | Lokibot has the ability to copy itself to a hidden file and directory.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Lokibot will delete its dropped files after bypassing UAC.4 |
| enterprise | T1105 | Ingress Tool Transfer | Lokibot downloaded several staged items onto the victim’s machine.4 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Lokibot has the ability to capture input on the compromised host via keylogging.5 |
| enterprise | T1112 | Modify Registry | Lokibot has modified the Registry as part of its UAC bypass process.4 |
| enterprise | T1106 | Native API | Lokibot has used LoadLibrary(), GetProcAddress() and CreateRemoteThread() API functions to execute its shellcode.4 |
| enterprise | T1027 | Obfuscated Files or Information | Lokibot has obfuscated strings with base64 encoding.1 |
| enterprise | T1027.002 | Software Packing | Lokibot has used several packing methods for obfuscation.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Lokibot is delivered via a malicious XLS attachment contained within a spearhpishing email.4 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.012 | Process Hollowing | Lokibot has used process hollowing to inject itself into legitimate Windows process.14 |
| enterprise | T1620 | Reflective Code Loading | Lokibot has reflectively loaded the decoded DLL into memory.4 |
| enterprise | T1053 | Scheduled Task/Job | Lokibot‘s second stage DLL has set a timer using “timeSetEvent” to schedule its next execution.4 |
| enterprise | T1053.005 | Scheduled Task | Lokibot embedded the commands schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I inside a batch script.4 |
| enterprise | T1082 | System Information Discovery | Lokibot has the ability to discover the computer name and Windows product name/version.5 |
| enterprise | T1016 | System Network Configuration Discovery | Lokibot has the ability to discover the domain name of the infected host.5 |
| enterprise | T1033 | System Owner/User Discovery | Lokibot has the ability to discover the username on the infected host.5 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Lokibot has tricked recipients into enabling malicious macros by getting victims to click “enable content” in email attachments.64 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Evasion | Lokibot has performed a time-based anti-debug check before downloading its third stage.4 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0083 | SilverTerrier | 7 |
References
-
Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020. ↩↩↩↩↩↩↩↩
-
Cheruku, H. (2020, April 15). LOKIBOT WITH AUTOIT OBFUSCATOR + FRENCHY SHELLCODE. Retrieved May 14, 2020. ↩
-
DHS/CISA. (2020, September 22). Alert (AA20-266A) LokiBot Malware . Retrieved September 15, 2021. ↩
-
Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020. ↩↩↩↩↩
-
Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019. ↩
-
Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018. ↩