Skip to content

S0447 Lokibot

Lokibot is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. Lokibot can also create a backdoor into infected systems to allow an attacker to install additional payloads.123

Item Value
ID S0447
Associated Names
Version 2.0
Created 14 May 2020
Last Modified 11 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control
Lokibot has utilized multiple techniques to bypass UAC.4
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Lokibot has used HTTP for C2 communications.14
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Lokibot has used PowerShell commands embedded inside batch scripts.4
enterprise T1059.003 Windows Command Shell Lokibot has used cmd /c commands embedded within batch scripts.4
enterprise T1059.005 Visual Basic Lokibot has used VBS scripts and XLS macros for execution.4
enterprise T1555 Credentials from Password Stores Lokibot has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients.1
enterprise T1555.003 Credentials from Web Browsers Lokibot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.1
enterprise T1140 Deobfuscate/Decode Files or Information Lokibot has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR.4
enterprise T1041 Exfiltration Over C2 Channel Lokibot has the ability to initiate contact with command and control (C2) to exfiltrate stolen data.5
enterprise T1083 File and Directory Discovery Lokibot can search for specific files on an infected host.4
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Lokibot has the ability to copy itself to a hidden file and directory.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Lokibot will delete its dropped files after bypassing UAC.4
enterprise T1105 Ingress Tool Transfer Lokibot downloaded several staged items onto the victim’s machine.4
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Lokibot has the ability to capture input on the compromised host via keylogging.5
enterprise T1112 Modify Registry Lokibot has modified the Registry as part of its UAC bypass process.4
enterprise T1106 Native API Lokibot has used LoadLibrary(), GetProcAddress() and CreateRemoteThread() API functions to execute its shellcode.4
enterprise T1027 Obfuscated Files or Information Lokibot has obfuscated strings with base64 encoding.1
enterprise T1027.002 Software Packing Lokibot has used several packing methods for obfuscation.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Lokibot is delivered via a malicious XLS attachment contained within a spearhpishing email.4
enterprise T1055 Process Injection -
enterprise T1055.012 Process Hollowing Lokibot has used process hollowing to inject itself into legitimate Windows process.14
enterprise T1620 Reflective Code Loading Lokibot has reflectively loaded the decoded DLL into memory.4
enterprise T1053 Scheduled Task/Job Lokibot‘s second stage DLL has set a timer using “timeSetEvent” to schedule its next execution.4
enterprise T1053.005 Scheduled Task Lokibot embedded the commands schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I inside a batch script.4
enterprise T1082 System Information Discovery Lokibot has the ability to discover the computer name and Windows product name/version.5
enterprise T1016 System Network Configuration Discovery Lokibot has the ability to discover the domain name of the infected host.5
enterprise T1033 System Owner/User Discovery Lokibot has the ability to discover the username on the infected host.5
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Lokibot has tricked recipients into enabling malicious macros by getting victims to click “enable content” in email attachments.64
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion Lokibot has performed a time-based anti-debug check before downloading its third stage.4

Groups That Use This Software

ID Name References
G0083 SilverTerrier 7