Lokibot it’s not new but it’s a common malware to see these days since it’s sold on underground websites, thus it’s available to the average cyber-criminal. This malware is designed to steal information from infected machines and send it to a command and control server using HTTP POST requests.
Besides stealing data, it can set up persistence, receive tasks from the C2 server, and it can be used to download more malware.
Lokibot has been around for a few years now, but the statistics show that is still very common to see Lokibot being used. The stats provided by Any Run show that this family is within the top 3 of the Global rank and the top 10 of both the Week and Month ranks.
The stats from MalwareBazaar put this family within the top 10 of all time of the most seen malware families.
Tria.ge stats place Lokibot in the top 5 of submissions.
Given the popularity of this malware and my curiosity, I decided to take a look at a sample and see how it works.
The sample I used in this analysis can be found here.
Static reverse engineering
Lokibot resolves most of the needed APIs during the execution. To avoid hardcoding the original API names, the malware uses hashes of the API names whenever it needs to resolve them.
The first step to moving forward with the reverse engineering of this sample I had to understand how Lokibot resolves the APIs and how the algorithm that computes the hashes works.
Resolving the necessary APIs
To resolve a Windows API, Lokibot calls an auxiliary function that receives an index value and a hash of the API name as arguments.
The indexes are used to get the DLL name from an in-memory array containing the DLL names.
To get the final addresses Lokibot loads and parses the export table from the DLLs.
For each API in the export table, Lokibot computes a hash of its name and compares it with the hash passed to the function as an argument.
API string hashing algorithm
Pseudo code of the hashing algorithm used by this Lokibot sample:
Using my own implementation of this algorithm in python I was able to build a list containing the Windows API names alongside their hashes.
In this gist, you can find the full list containing the API names and the hashes.
Command line argument check
Before starting any actions the malware checks if there is a
-u switch in the arguments of the process and if it finds it the execution is delayed for 10 seconds.
This switch is used when Lokibot upgrades itself.
Network initialization and mutex creation
Lokibot uses Berkeley compatible sockets for communications and because of that, it needs to call WSAStartup() before using any other networking functions.
If the call succeeds the malware tries to create a mutex based on the MD5 hash of the machine GUID (trimmed to 24 chars).
Mutexes are used to guarantee that there is only one instance of a program running on a system.
Stealing the data
Lokibot calls a function that will build two large arrays in the stack.
The first array will contain the identifiers of the functions, and the second array the actual routines that steal data.
After building the two arrays, the functions that steal data are executed using a wrapper function.
This wrapper function sets a global variable with the identifier of the steal function and executes it.
This way, Lokibot can keep a reference between the stolen data and the function that stole it in the reported data. This way, when parsing the stolen data the C2 server will know how to process/store it.
List of all the targeted applications and files:
firefox browser icedragon browser safari browser k-meleon browser seamonkey browser flock browser blackhawk browser lunascape browser browsers general data opera browser qtweb internet browser qupzilla browser internet explorer opera passwords cyberfox browser pale moon browser waterfox browser pidgin passwords superputty ftpshell notepadplusplus myftp ftpbox sherrod ftp ftpnow nexusfile ftp netsarang xftp easyftp sftpnetdrive ableftp jasftp automize ableftp cyberduck fullsync ftpinfo linasftp filezilla staff ftp blazeftp fastream ftp goftp estsoft alftp deluxe ftp ghisler wcx ftp ftpgetter ws ftp site xml files full tilt poker pokerstars expandrive steed flash fxp insoftware novaftp netdrive ghisler wcx ftp smart ftp far manager ftp bitvise bvsshclient vnc msecure syncovery freshwebmaster freshftp bitkinex ultrafxp ftp now securefx odin secure ftp expert nch software fling nch software classicftp kitty putty mozilla thunderbird foxmail pocomail incredimail gmail notifier pro desksoft checkmail winftp client winscp 32bitftp ftp navigator softwarenetz mailing operamail postbox mozilla fossamail mailbox ini file winchips user account outlook ymail2 trojita imap client trulymail spn files to dodesklist stickies images and rtf notefly notes conceptworld notezilla microsoft sticky notes keepass databases enpass db files my roboform 1password mikrotik winbox
After getting all the data and save it in a memory buffer, Lokibot will prepare the data and report it back to the C2 server. The configured C2 server is encrypted using Triple-DES and gets decrypted on runtime.
The malware grabs information about the local system and builds a report packet. This packet will have the system information, stolen data, and some other flags and data.
Summary of the system information that is collected to build the report packet:
- Operating system
- Domain name
- Screen resolution
- Privilege level
- System architecture
An interesting bit of information on the Lokibot communications is the user-agent.
A simple google search shows nothing but only references to this malware.
Stealing data from the Windows Credential Manager
After stealing the data from the targeted applications, Lokibot will try to steal data from the Windows Credential Manager.
To steal those credentials, Lokibot will search any files within the following directories:
To decrypt the passwords, Lokibot tries to inject code into the Local Security Authority Subsystem Service process (lsass.exe). The injection will occur only if:
- The operating system is x86.
- The operating system is x64 and the process is not running under Windows on Windows subsystem (WoW64).
A fun fact about the x86 injection function is that the author forgot to create a remote threat after writing the shellcode into the Lsass process, meaning that the shellcode is written but never executed. ¯\(ツ)/¯
After stealing this data, Lokibot builds a new report packet and reports it back to the C2 server.
For persistence, Lokibot copies itself to a folder inside the
%APPDATA% folder, creates a new run key, and hides both the created directory and the copied executable.
Creating the directory and copying the original executable:
Creating a run key and hiding both the folder and the executable:
This way whenever the system is started the hidden executable will be executed.
After stealing the data, Lokibot is also able to fetch tasks from the C2 server.
Summary of the possible Lokibot tasks:
- Download EXE and Execute
- Download DLL and Load
- Delete HDB file
- Start keylogger
- Steal data
- Exit Lokibot
- Upgrade Lokibot
- Change C2 beaconing (polling tasks)
- Delete executables
Here is a snippet of a function that will download additional executables and execute them:
Lokibot creates a hidden folder within the
%APPDATA% directory. The directory name will be a slice of the mutex name (8th char - 13th char).
In the hidden directory, Lokibot creates four files at any given time with the following extensions:
The file names will also be a slice of the mutex name (13th char - 18th char) followed by the extension.
The user-agent used by Lokibot is also very uncommon which can be used to build simple detections.
Mozilla/4.08 (Charon; Inferno)
List of existing Suricata rules:
|Rule ID||Rule Name|
|2024311||ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected|
|2024312||ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1|
|2024313||ET TROJAN Loki Bot Request for C2 Commands Detected M1|
|2024314||ET TROJAN Loki Bot File Exfiltration Detected|
|2024315||ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1|
|2024316||ET TROJAN Loki Bot Screenshot Exfiltration Detected|
|2024317||ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2|
|2024318||ET TROJAN Loki Bot Request for C2 Commands Detected M2|
|2024319||ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2|