Title: LokiBot: The Resilient Infostealer Continues to Adapt and Evade Detection
LokiBot, recognized as one of the oldest and most persistent infostealers in the cyber landscape, has made a significant evolution since its inception in May 2015. First marketed on underground forums by vendors identified as ‘lokistov’ and ‘carter,’ LokiBot has maintained its relevance by constantly adapting its techniques to evade detection and frustrate analysis. Recent samples of this malware demonstrate remarkable advancements, particularly in its methods of static detection evasion and obfuscation.
One of the primary enhancements of LokiBot is its use of API hashing combined with 3DES encryption for storing command-and-control (C2) configurations directly within the binary. This innovative approach ensures that identifiable attributes of the malware remain hidden from static analysis tools, making it increasingly difficult for cybersecurity professionals to detect its presence before it can execute its payloads.
The loader, designed to be compact and stealthy, optimizes its functionality to reconstruct and execute conventional LokiBot payloads discreetly. In doing so, it minimizes observable imports, thereby concealing its network infrastructure from prying eyes. A sophisticated JScript layer intermingles real decoding logic with decoy functions, further complicating analysis efforts. It also includes timed cleanup routines that proactively remove temporary files and terminate processes if they exceed specified time thresholds. Such measures enhance LokiBot’s stealth capabilities and ensure it operates undetected for longer periods.
A key component in the enhanced functionality of LokiBot is its PowerShell component, which serves as a reflective .NET assembly loader. This element employs XOR encryption to reveal a Base64-encoded .NET assembly, loading it with the [System.Reflection.Assembly]::Load command and invoking it through the MEN.EXECUTE.LAUNCH() entrypoint. The parameters that it passes during this phase include the complete path to the aspnet_compiler.exe and a lengthy byte array that allows for the injection of a Portable Executable (PE) image into the target process.
The architectural design of LokiBot’s payload reveals extensive use of advanced techniques. The final payload is a 32-bit PE, compiled with Microsoft Visual C++ 2015, that incorporates an “x” data section containing 3DES-encrypted C2 endpoints. This encryption not only secures the C2 infrastructure but also complicates any attempts to trace the communication pathway back to the attackers.
According to cybersecurity research firm LevelBlue, the initiation of a typical LokiBot campaign begins with malspam that delivers an obfuscated JScript attachment. This attachment leverages Windows Script Host to stage a Base64-encoded PowerShell loader, a method that significantly enhances its delivery mechanisms. The malware’s custom hashing function, which applies repeated right shifts combined with XOR using a fixed constant, offers a unique evasion technique. This means that instead of utilizing a conventional import table, LokiBot relies on a minimal static import set and resolves necessary functions during runtime by enumerating export names in targeted Dynamic-Link Libraries (DLLs) and comparing them with precomputed hashes.
This strategic hashing method plays an essential role in reducing static signatures associated with LokiBot, thus compelling analysts to either emulate its behavior or enumerate exports to properly analyze its functionality. The confidentiality of its C2 infrastructure is fortified through symmetric encryption, ensuring that endpoints concealed within the binary are decrypted during execution to facilitate HTTP requests for initial beaconing and subsequent command retrieval.
Once activated, LokiBot immediately establishes a mutex generated from the MD5 hash of the MachineGuid. This tactic prevents multiple instances from running simultaneously. Additionally, the malware copies itself into the %AppData% directory, utilizing a name derived from the MachineGuid to avoid detection, and makes attempts to create a Run key for persistence in the system.
Unfortunately, several versions of LokiBot built using patched builders have exhibited issues, particularly with a broken decryption subroutine leading to improperly constructed registry keys. This flaw has resulted in ineffective persistence in those specific variants, providing a slight advantage to cybersecurity defenders.
The operational capabilities of LokiBot are extensive, allowing it to enumerate and extract credentials from over a hundred targeted applications including browsers, cryptocurrency wallets, password managers, email, and FTP clients. The harvested data is aggregated, compressed using aPLib, and subsequently exfiltrated to the decrypted C2 over HTTP. After the data theft, the malware enters a loop, beacons system metadata every minute, and spawns threads to process any received commands.
For cybersecurity defenders, key detection opportunities exist in monitoring for unusual script-based staging activities involving obfuscated JScript and PowerShell. Awareness of irregular use of aspnet_compiler.exe and anomalous mutex names tied to MachineGuid hashes is crucial. Additionally, recognizing signatures associated with a small import table exhibiting runtime export-walking behavior could alert analysts to possible LokiBot activity.
To combat this persistent threat, security teams can expedite their detection processes by utilizing resources such as HashDB in conjunction with tools like radare2 to map hashed APIs swiftly. They may also consider decrypting the “x” section of the malware using 3DES keys retrieved from memory during dynamic execution.
In summary, LokiBot remains a formidable player in the realm of cyber threats, with its adaptive capabilities and robust evasion techniques. As it continues to evolve, both analysts and defenders must stay vigilant, employing innovative methods to counteract this enduring infostealer.