Lokibot it’s not new but it’s a common malware to see these days since it’s sold on underground websites, thus it’s available to the average cyber-criminal. This malware is designed to steal information from infected machines and send it to a command and control server using HTTP POST requests.

Besides stealing data, it can set up persistence, receive tasks from the C2 server, and it can be used to download more malware.

Lokibot has been around for a few years now, but the statistics show that is still very common to see Lokibot being used. The stats provided by Any Run show that this family is within the top 3 of the Global rank and the top 10 of both the Week and Month ranks.

The stats from MalwareBazaar put this family within the top 10 of all time of the most seen malware families.

Tria.ge stats place Lokibot in the top 5 of submissions.

Given the popularity of this malware and my curiosity, I decided to take a look at a sample and see how it works.

The sample I used in this analysis can be found here.


Static reverse engineering

Lokibot resolves most of the needed APIs during the execution. To avoid hardcoding the original API names, the malware uses hashes of the API names whenever it needs to resolve them.

The first step to moving forward with the reverse engineering of this sample I had to understand how Lokibot resolves the APIs and how the algorithm that computes the hashes works.

Resolving the necessary APIs

To resolve a Windows API, Lokibot calls an auxiliary function that receives an index value and a hash of the API name as arguments.

The indexes are used to get the DLL name from an in-memory array containing the DLL names.

Index DLL
0 kernel32.dll
1 ntdll.dll
2 shlwapi.dll
3 crypt32.dll
4 wininet.dll
5 urlmon.dll
6 netapi32.dll
7 ws2_32.dll
8 user32.dll
9 advapi32.dll
10 shell32.dll
11 gdiplus.dll
12 gdi32.dll
13 ole32.dll
14 gdi32.dll

To get the final addresses Lokibot loads and parses the export table from the DLLs.

For each API in the export table, Lokibot computes a hash of its name and compares it with the hash passed to the function as an argument.

API string hashing algorithm

Pseudo code of the hashing algorithm used by this Lokibot sample:

Using my own implementation of this algorithm in python I was able to build a list containing the Windows API names alongside their hashes.

In this gist, you can find the full list containing the API names and the hashes.

Command line argument check

Before starting any actions the malware checks if there is a -u switch in the arguments of the process and if it finds it the execution is delayed for 10 seconds.

This switch is used when Lokibot upgrades itself.

Network initialization and mutex creation

Lokibot uses Berkeley compatible sockets for communications and because of that, it needs to call WSAStartup() before using any other networking functions.

If the call succeeds the malware tries to create a mutex based on the MD5 hash of the machine GUID (trimmed to 24 chars).

Mutexes are used to guarantee that there is only one instance of a program running on a system.

Stealing the data

Lokibot calls a function that will build two large arrays in the stack.

The first array will contain the identifiers of the functions, and the second array the actual routines that steal data.

After building the two arrays, the functions that steal data are executed using a wrapper function.

This wrapper function sets a global variable with the identifier of the steal function and executes it.

This way, Lokibot can keep a reference between the stolen data and the function that stole it in the reported data. This way, when parsing the stolen data the C2 server will know how to process/store it.

List of all the targeted applications and files:

firefox browser
icedragon browser
safari browser
k-meleon browser 
seamonkey browser
flock browser  
blackhawk browser  
lunascape browser  
browsers general data
opera browser  
qtweb internet browser  
qupzilla browser  
internet explorer  
opera passwords
cyberfox browser  
pale moon browser  
waterfox browser  
pidgin passwords
superputty  
ftpshell  
notepadplusplus  
myftp  
ftpbox  
sherrod ftp  
ftpnow  
nexusfile ftp  
netsarang xftp  
easyftp  
sftpnetdrive  
ableftp  
jasftp  
automize  
ableftp
cyberduck  
fullsync  
ftpinfo  
linasftp  
filezilla  
staff ftp  
blazeftp  
fastream ftp  
goftp  
estsoft alftp  
deluxe ftp  
ghisler wcx ftp  
ftpgetter  
ws ftp  
site xml files
full tilt poker  
pokerstars  
expandrive  
steed  
flash fxp  
insoftware novaftp  
netdrive  
ghisler wcx ftp  
smart ftp  
far manager ftp  
bitvise bvsshclient  
vnc  
msecure  
syncovery  
freshwebmaster freshftp  
bitkinex  
ultrafxp  
ftp now  
securefx  
odin secure ftp expert  
nch software fling  
nch software classicftp  
kitty
putty  
mozilla thunderbird  
foxmail  
pocomail  
incredimail  
gmail notifier pro
desksoft checkmail  
winftp client  
winscp  
32bitftp  
ftp navigator  
softwarenetz mailing  
operamail  
postbox  
mozilla fossamail  
mailbox ini file  
winchips user account  
outlook  
ymail2  
trojita imap client  
trulymail  
spn files
to dodesklist  
stickies images and rtf
notefly notes  
conceptworld notezilla  
microsoft sticky notes  
keepass databases
enpass db files
my roboform  
1password  
mikrotik winbox

After getting all the data and save it in a memory buffer, Lokibot will prepare the data and report it back to the C2 server. The configured C2 server is encrypted using Triple-DES and gets decrypted on runtime.

The malware grabs information about the local system and builds a report packet. This packet will have the system information, stolen data, and some other flags and data.

Summary of the system information that is collected to build the report packet:

  • Operating system
  • Username
  • Hostname
  • Domain name
  • Screen resolution
  • Privilege level
  • System architecture

An interesting bit of information on the Lokibot communications is the user-agent.

A simple google search shows nothing but only references to this malware.

Stealing data from the Windows Credential Manager

After stealing the data from the targeted applications, Lokibot will try to steal data from the Windows Credential Manager.

To steal those credentials, Lokibot will search any files within the following directories:

  • %APPDATA%\Microsoft\Credentials
  • %LOCALAPPDATA%\Microsoft\Credentials.

To decrypt the passwords, Lokibot tries to inject code into the Local Security Authority Subsystem Service process (lsass.exe). The injection will occur only if:

  • The operating system is x86.
  • The operating system is x64 and the process is not running under Windows on Windows subsystem (WoW64).

A fun fact about the x86 injection function is that the author forgot to create a remote threat after writing the shellcode into the Lsass process, meaning that the shellcode is written but never executed. ¯\(ツ)

After stealing this data, Lokibot builds a new report packet and reports it back to the C2 server.

Persistence

For persistence, Lokibot copies itself to a folder inside the %APPDATA% folder, creates a new run key, and hides both the created directory and the copied executable.

Creating the directory and copying the original executable:

Creating a run key and hiding both the folder and the executable:

This way whenever the system is started the hidden executable will be executed.

C2 tasks

After stealing the data, Lokibot is also able to fetch tasks from the C2 server.

Summary of the possible Lokibot tasks:

  • Download EXE and Execute
  • Download DLL and Load
  • Delete HDB file
  • Start keylogger
  • Steal data
  • Exit Lokibot
  • Upgrade Lokibot
  • Change C2 beaconing (polling tasks)
  • Delete executables

Here is a snippet of a function that will download additional executables and execute them:

Possible detections

Lokibot creates a hidden folder within the %APPDATA% directory. The directory name will be a slice of the mutex name (8th char - 13th char).

For example: %APPDATA%\C98066\.

In the hidden directory, Lokibot creates four files at any given time with the following extensions:

  • .exe
  • .lck
  • .hdb
  • .kdb

The file names will also be a slice of the mutex name (13th char - 18th char) followed by the extension.

The user-agent used by Lokibot is also very uncommon which can be used to build simple detections.

Mozilla/4.08 (Charon; Inferno)

List of existing Suricata rules:

Rule ID Rule Name
2024311 ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected
2024312 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1
2024313 ET TROJAN Loki Bot Request for C2 Commands Detected M1
2024314 ET TROJAN Loki Bot File Exfiltration Detected
2024315 ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1
2024316 ET TROJAN Loki Bot Screenshot Exfiltration Detected
2024317 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2
2024318 ET TROJAN Loki Bot Request for C2 Commands Detected M2
2024319 ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2

References