LokiBot Analysis
We will analyze LokiBot.
Summary
LokiBot(Loki-Bot or Loki Bot) is an infostealer malware which collects user credentials from various applications in infected machines such as Web Browsers, FTP, Email Clients, and etc. The malware’s original source code was leaked in the past, which lead to creation of multiple versions of the malware. The malware’s initial infection is often known to be phishing email.
The sample we are going to analyze have 3 stages.
- Initial Executable
- Unpacked DLL (vogrqihk.dll)
- Deobfuscated Executable (hd9kkov4myl)
We will go over each stages of this malware with corresponding MITRE ATT&CK that was observed in the analysis.
Stage 1 : Initial Executable
MITRE ATT&CK
Defense Evasion
T1027 Obfuscated Files or Information
File Hash (MD5)
173cc49904c607c514e2f4a2054aaca0
Execution Flow
In initial executable’s section, it has section .ndata which is indicates the file is Nullsoft Scriptable Install System(NSIS) packed file.
※ NSIS packed file can be extracted partially via 7-Zip. From our executable 7-Zip will extract vogrqihk.dll and hd9kkov4myl, which we will analyze in stage 2 and 3.
In the beginning of the execution, the file will unpack and dump two files physically onto the disk; vogrqihk.dll and hd9kkov4myldll.
The file vogrqihk.dll will be loaded as a module by the initial executable through LoadLibraryExA and gets the exported function of the dll through GetProcAddress.
Once above is complete, the control flow will reach lfrgtzqdeo function call.
Stage 2 : vogrqihk.dll
MITRE ATT&CK
Defense Evasion
T1055 Process Injection
T1140 Deobfuscate/Decode Files or Information
File Hash (MD5)
94d33e9281067f72a6e4f1dd967bab7d
Execution Flow
As soon as the control flow enters lfrgtzqdeo function, it proceeds to deobfuscate .data section.
After deobfuscation the control flow will enter .data section, which is shown in Figure 8.
As we can see from Figure 8, .data section utilizes anti-analysis method by dynamically appending characters to form a library name. After the jump instruction in Figure 8, it forms a filename hd9kkov4myl, which is one of the files it was dumped by initial executable.
As soon as above filename is formed, it reads in the file by using the combinations of the following APIs
- CreateFileW
- GetFileSize
- VirtualAlloc
- ReadFile
Initial state of hd9kkov4myl appears to be encrypted PE executable, which will be decrypted within the .data section instructions.
Once the hd9kkov4myl is decypted, it proceeds to CreateProcessW the initial executable with dwCreationFlags of 0x80000004, which are combinations of CREATE_NO_WINDOW and CREATE_SUSPENDED.
Eventually it proceeds to inject decrypted PE executable by process hollowing the suspended child process and resuming it by calling ResumeThread function.
Stage 3: hd9kkov4myl
MITRE ATT&CK
Collection
T1005 Data from Local System
Command and Control
T1071 Application Layer Protocol
Credential access
T1555 Credentials from Password Stores
File Hash (MD5)
af625b5163049a8553ebe9fc32bf90be (Obfuscated file hash)
0b80339abb0f05bdafc5500f0be887bb (Deobfuscated file hash)
Execution Flow
The last stage is the injected&decrypted PE executable(hd9kkov4myl), which appears to be the infostealer itself.
From analyzing the executable statically&dynamically, this executable appears to have capabilities to search the following information.
Credentials from web browsers
The usual(Chrome, Firefox, and Internet Explorer) browsers are seen, as well as more than 20 different browsers. (360Browsers, Chromium, Opera, and etc)
Credentials of email clients
Email clients that can be observed are Outlook, Postbox, and Thunderbird.
Crendetials of FTP
FTP clients that can be observed are Cyberduck, EasyFTP, and FileZilla.
Keychain
Keychain is a token that stores user passwords that is potentially stored by IOs devices or other apple related softwares. The executable can be seen to be accessing the Keychain information.
Credentials of SSH
SSH clients that can be observed are BvSSH, KiTTy, and PuTTY.
Credentials from Password Managers
The executable is seen to search for specific folders and files within the infected machine that are related to storage of offline Password Managers.
- KeePass Password Safe: KeePass Password Database(kdbx) file.
- Enpass Password Manager’s local storage
- RoboForm
- 1Password
Windows Credential Manager
Windows Credential Manager manages the credentials for websites, applications and devices which needs to be authenticated through NTLM or Kerberos in Credential Lockers. This executable can be seen to load vaultcli.dll, which is a library utilized to access Windows Credential Manager and it suggests that this executable is also likely to access Credential Manager.
Misc
- Full Tilt Poker
The executable was seen to search for registry “Full Tilt Poker” in the HKCU\Software and for folders. Full Tilt Poker is an online Poker application and this seems very random. However from ESET’s article there was an Spyware that specifically targeted this application.
ESET®, a global pioneer in proactive protection for more than two decades, warns users of PokerStars and Full Tilt Poker of a new malicious spyware program called Odlanor. The spyware, which takes screenshots of the infected player’s virtual poker hand, is designed to allow the malware operator to cheat during online games.
It is possible the executable has a capability to steal the Full Tilt Poker’s information.
Once the executable goes through most of infostealing capabilities, it attempts to create an external connection to C2 server.
http://bauxx[.]xyz/mtk1/w2/fre.php
It is worth noting that in many of the versions, LokiBot often created a connection to http://<domain>/fre.php. This “fre.php” can be an indication that the connectivity is related to LokiBot.
After external communications, the executable was seen to create persistence. The executable appears to copys itself as %APPDATA%\Roaming\A83C2F\F3FE9.exe with SetFileAttribute as hidden.
Later the registry creation can be seen under HKCU\http://bauxx[.]xyz/mtk1/w2/fre.php
※ Binary ID ckav[.]ru was also observed statically within the executable.
Conclusion
The executable was seen to have total of three stages, which first two stages were the stager for the last stage’s infostealer. If this malware gets to the last stage, it is highly likely some user information from that machine is extracted.
To prevent this infection, we constantly need to educate ourselves about the phishing emails, since this would be the initial root cause.
The recommended actions for this malware are the following.
- Delete phishing email, which is likely the root cause of the infection.
- Reset the user credentials of any web applications that was accessed via Browsers.
- Reset the email credentials.
- Reset FTP and SSH credentials if it any FTP/SSH clients were used in the machines.
- Reset any credentials that may be stored in Windows Credntial Manager.
- Delete the registry key (HKCU\http://bauxx[.]xyz/mtk1/w2/fre.php)
- Delete the actual files and the copied file(%APPDATA%\Roaming\A83C2F\F3FE9.exe)
- Block the detected domains(bauxx[.]xyz)
Reference
https://developer.apple.com/documentation/security/keychain_services