LOKIBOT - A commodity malware
Lokibot it’s not new but it’s a common malware to see these days since it’s sold on underground websites, thus it’s available to the average cyber-criminal. This malware is designed to steal information from infected machines and send it to a command and control server using HTTP POST requests.
Besides stealing data, it can set up persistence, receive tasks from the C2 server, and it can be used to download more malware.
Lokibot has been around for a few years now, but the statistics show that is still very common to see Lokibot being used. The stats provided by Any Run show that this family is within the top 3 of the Global rank and the top 10 of both the Week and Month ranks.
The stats from MalwareBazaar put this family within the top 10 of all time of the most seen malware families.
Tria.ge stats place Lokibot in the top 5 of submissions.
Given the popularity of this malware and my curiosity, I decided to take a look at a sample and see how it works.
The sample I used in this analysis can be found here.
Static reverse engineering
Lokibot resolves most of the needed APIs during the execution. To avoid hardcoding the original API names, the malware uses hashes of the API names whenever it needs to resolve them.
The first step to moving forward with the reverse engineering of this sample I had to understand how Lokibot resolves the APIs and how the algorithm that computes the hashes works.
Resolving the necessary APIs
To resolve a Windows API, Lokibot calls an auxiliary function that receives an index value and a hash of the API name as arguments.
The indexes are used to get the DLL name from an in-memory array containing the DLL names.
Index | DLL |
---|---|
0 | kernel32.dll |
1 | ntdll.dll |
2 | shlwapi.dll |
3 | crypt32.dll |
4 | wininet.dll |
5 | urlmon.dll |
6 | netapi32.dll |
7 | ws2_32.dll |
8 | user32.dll |
9 | advapi32.dll |
10 | shell32.dll |
11 | gdiplus.dll |
12 | gdi32.dll |
13 | ole32.dll |
14 | gdi32.dll |
To get the final addresses Lokibot loads and parses the export table from the DLLs.
For each API in the export table, Lokibot computes a hash of its name and compares it with the hash passed to the function as an argument.
API string hashing algorithm
Pseudo code of the hashing algorithm used by this Lokibot sample:
Using my own implementation of this algorithm in python I was able to build a list containing the Windows API names alongside their hashes.
In this gist, you can find the full list containing the API names and the hashes.
Command line argument check
Before starting any actions the malware checks if there is a -u
switch in the arguments of the process and if it finds it the execution is delayed for 10 seconds.
This switch is used when Lokibot upgrades itself.
Network initialization and mutex creation
Lokibot uses Berkeley compatible sockets for communications and because of that, it needs to call WSAStartup() before using any other networking functions.
If the call succeeds the malware tries to create a mutex based on the MD5 hash of the machine GUID (trimmed to 24 chars).
Mutexes are used to guarantee that there is only one instance of a program running on a system.
Stealing the data
Lokibot calls a function that will build two large arrays in the stack.
The first array will contain the identifiers of the functions, and the second array the actual routines that steal data.
After building the two arrays, the functions that steal data are executed using a wrapper function.
This wrapper function sets a global variable with the identifier of the steal function and executes it.
This way, Lokibot can keep a reference between the stolen data and the function that stole it in the reported data. This way, when parsing the stolen data the C2 server will know how to process/store it.
List of all the targeted applications and files:
firefox browser
icedragon browser
safari browser
k-meleon browser
seamonkey browser
flock browser
blackhawk browser
lunascape browser
browsers general data
opera browser
qtweb internet browser
qupzilla browser
internet explorer
opera passwords
cyberfox browser
pale moon browser
waterfox browser
pidgin passwords
superputty
ftpshell
notepadplusplus
myftp
ftpbox
sherrod ftp
ftpnow
nexusfile ftp
netsarang xftp
easyftp
sftpnetdrive
ableftp
jasftp
automize
ableftp
cyberduck
fullsync
ftpinfo
linasftp
filezilla
staff ftp
blazeftp
fastream ftp
goftp
estsoft alftp
deluxe ftp
ghisler wcx ftp
ftpgetter
ws ftp
site xml files
full tilt poker
pokerstars
expandrive
steed
flash fxp
insoftware novaftp
netdrive
ghisler wcx ftp
smart ftp
far manager ftp
bitvise bvsshclient
vnc
msecure
syncovery
freshwebmaster freshftp
bitkinex
ultrafxp
ftp now
securefx
odin secure ftp expert
nch software fling
nch software classicftp
kitty
putty
mozilla thunderbird
foxmail
pocomail
incredimail
gmail notifier pro
desksoft checkmail
winftp client
winscp
32bitftp
ftp navigator
softwarenetz mailing
operamail
postbox
mozilla fossamail
mailbox ini file
winchips user account
outlook
ymail2
trojita imap client
trulymail
spn files
to dodesklist
stickies images and rtf
notefly notes
conceptworld notezilla
microsoft sticky notes
keepass databases
enpass db files
my roboform
1password
mikrotik winbox
After getting all the data and save it in a memory buffer, Lokibot will prepare the data and report it back to the C2 server. The configured C2 server is encrypted using Triple-DES and gets decrypted on runtime.
The malware grabs information about the local system and builds a report packet. This packet will have the system information, stolen data, and some other flags and data.
Summary of the system information that is collected to build the report packet:
- Operating system
- Username
- Hostname
- Domain name
- Screen resolution
- Privilege level
- System architecture
An interesting bit of information on the Lokibot communications is the user-agent.
A simple google search shows nothing but only references to this malware.
Stealing data from the Windows Credential Manager
After stealing the data from the targeted applications, Lokibot will try to steal data from the Windows Credential Manager.
To steal those credentials, Lokibot will search any files within the following directories:
%APPDATA%\Microsoft\Credentials
%LOCALAPPDATA%\Microsoft\Credentials
.
To decrypt the passwords, Lokibot tries to inject code into the Local Security Authority Subsystem Service process (lsass.exe). The injection will occur only if:
- The operating system is x86.
- The operating system is x64 and the process is not running under Windows on Windows subsystem (WoW64).
A fun fact about the x86 injection function is that the author forgot to create a remote threat after writing the shellcode into the Lsass process, meaning that the shellcode is written but never executed. ¯\(ツ)/¯
After stealing this data, Lokibot builds a new report packet and reports it back to the C2 server.
Persistence
For persistence, Lokibot copies itself to a folder inside the %APPDATA%
folder, creates a new run key, and hides both the created directory and the copied executable.
Creating the directory and copying the original executable:
Creating a run key and hiding both the folder and the executable:
This way whenever the system is started the hidden executable will be executed.
C2 tasks
After stealing the data, Lokibot is also able to fetch tasks from the C2 server.
Summary of the possible Lokibot tasks:
- Download EXE and Execute
- Download DLL and Load
- Delete HDB file
- Start keylogger
- Steal data
- Exit Lokibot
- Upgrade Lokibot
- Change C2 beaconing (polling tasks)
- Delete executables
Here is a snippet of a function that will download additional executables and execute them:
Possible detections
Lokibot creates a hidden folder within the %APPDATA%
directory. The directory name will be a slice of the mutex name (8th char - 13th char).
For example: %APPDATA%\C98066\
.
In the hidden directory, Lokibot creates four files at any given time with the following extensions:
- .exe
- .lck
- .hdb
- .kdb
The file names will also be a slice of the mutex name (13th char - 18th char) followed by the extension.
The user-agent used by Lokibot is also very uncommon which can be used to build simple detections.
Mozilla/4.08 (Charon; Inferno)
List of existing Suricata rules:
Rule ID | Rule Name |
---|---|
2024311 | ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected |
2024312 | ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1 |
2024313 | ET TROJAN Loki Bot Request for C2 Commands Detected M1 |
2024314 | ET TROJAN Loki Bot File Exfiltration Detected |
2024315 | ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1 |
2024316 | ET TROJAN Loki Bot Screenshot Exfiltration Detected |
2024317 | ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2 |
2024318 | ET TROJAN Loki Bot Request for C2 Commands Detected M2 |
2024319 | ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2 |