image courtesy, techdatort.net
LokiBot is used to employ Trojan malware to steal sensitive data such as usernames, password and other credentials according to the Cyber Infrastructure Security Agency (CISA). The actors that use LokiBot are using multiple techniques that are old but effective tricks.
The malware is deployed into the targeted systems by blasting emails that are attached with a malicious XLS document which then contains a macro that creates a backdoor into the infected system to install additional payloads like vbc.exe, which is a variant of LokiBot.
image courtesy, 2-spyware.com
LokiBot first appeared in 2015 and its appearance has been increasing since then, according to CISA. Some of the recent identified targets are:
· February (2020): Trend Micro discovered that the malware was impersonating a launcher in the popular video game, FORTNITE.
· August (2019): FortiGuard SE researchers discovered a mal-spam campaign to steal payloads in a spear phishing attack on a US based manufacturing company.
· August (2019): Trend Micro uncovered that the malware was hidden in image files spread as attachment in phishing emails. Etc.
There are some incidents that are associated with LokiBot such as the new variant of RoboSki packer and the wave of attacks in the guise of COVID-19 vaccine.
The LokiBot malware plans their attack by mixing of both, exploitation of old vulnerabilities and using of new techniques, this has helped them to intensify the number of cyber attacks over the years. So to prevent unwanted attacks organisations should implement the required mitigations from time to time.