Increase in LokiBot Malware Activity Leads to CISA Issues Alert

An alert has been released by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA)  after a noticeable increase in LokiBot malware activity was recorded in the past eight weeks.

LokiBot – also referred to as Lokibot, Loki PWS, and Loki-bot – first came on the scene in 2015 and is an information stealer that was deployed to capture credentials and other protected data from victim devices. The malware attacks Windows and Android operating systems and uses a keylogger to record usernames and passwords and monitors browser and desktop activity. LokiBot can take log in details from a number of different applications and data sources such as Safari, Chrome, and Firefox web browsers, along with credentials for email accounts, FTP and sFTP clients.

The malware can also capture other sensitive data and cryptocurrency wallets and can establish backdoors in victims’ machines to allow constant access, allowing the operators of the malware to deliver additional malicious installations.

The malware is able to set up a link with its Command and Control Server and steals data using HyperText Transfer Protocol. The malware has been recorded using process hollowing to place itself into authentic Windows processes such as vbc.exe to avoid being noticed. The malware can also set up a duplicate of itself, which is saved to a hidden file and directory.

The malware may be relatively basic but that has made it an useful tool for a wide variety of hackers and it is being deployed is used in a wide range of data compromise use attacks.  Since July, CISA’s EINSTEIN Intrusion Detection System recorded a massive spike in LokiBot activity.

LokiBot is most often used in tandem with email as a malicious attachment; however, since July, the malware has been shared in a range of different ways, such as links to websites hosting the malware sent by SMS and using text messaging software.

Data stealers have been popular during the COVID-19 pandemic, particularly LokiBot. LokiBot was the most commonly witnessed data stealer in the first half of 2020, according to F-Secure.

CISA has released best practices to implement in order to bolster security against LokiBot and other information stealers. These include:

  • Using antivirus software and ensuring virus definition lists are kept updated
  • Running patches for vulnerabilities swiftly
  • Turning off file and printer sharing services. If not possible, set strong passwords or deploy AD authentication
  • Set up multi-factor authentication on accounts
  • Limit user permissions to download and run software applications
  • Make the use of strong passwords mandatory
  • Conduct training for the workforce and ask staff to use caution when opening email attachments
  • Install a spam filtering solution
  • Set up a personal firewall on workstations and configure the firewall to forbid unsolicited connection requests
  • Review web activity and think about using a web filter to prevent employees from visiting unsavory web pages
  • Scan all software installations before they are executed