Increase in LokiBot Malware Activity Leads to CISA Issues Alert

by | Sep 28, 2020

An alert has been released by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA)  after a noticeable increase in LokiBot malware activity was recorded in the past eight weeks.

LokiBot – also referred to as Lokibot, Loki PWS, and Loki-bot – first came on the scene in 2015 and is an information stealer that was deployed to capture credentials and other protected data from victim devices. The malware attacks Windows and Android operating systems and uses a keylogger to record usernames and passwords and monitors browser and desktop activity. LokiBot can take log in details from a number of different applications and data sources such as Safari, Chrome, and Firefox web browsers, along with credentials for email accounts, FTP and sFTP clients.

The malware can also capture other sensitive data and cryptocurrency wallets and can establish backdoors in victims’ machines to allow constant access, allowing the operators of the malware to deliver additional malicious installations.

The malware is able to set up a link with its Command and Control Server and steals data using HyperText Transfer Protocol. The malware has been recorded using process hollowing to place itself into authentic Windows processes such as vbc.exe to avoid being noticed. The malware can also set up a duplicate of itself, which is saved to a hidden file and directory.

The malware may be relatively basic but that has made it an useful tool for a wide variety of hackers and it is being deployed is used in a wide range of data compromise use attacks.  Since July, CISA’s EINSTEIN Intrusion Detection System recorded a massive spike in LokiBot activity.

LokiBot is most often used in tandem with email as a malicious attachment; however, since July, the malware has been shared in a range of different ways, such as links to websites hosting the malware sent by SMS and using text messaging software.

Data stealers have been popular during the COVID-19 pandemic, particularly LokiBot. LokiBot was the most commonly witnessed data stealer in the first half of 2020, according to F-Secure.

CISA has released best practices to implement in order to bolster security against LokiBot and other information stealers. These include:

  • Using antivirus software and ensuring virus definition lists are kept updated
  • Running patches for vulnerabilities swiftly
  • Turning off file and printer sharing services. If not possible, set strong passwords or deploy AD authentication
  • Set up multi-factor authentication on accounts
  • Limit user permissions to download and run software applications
  • Make the use of strong passwords mandatory
  • Conduct training for the workforce and ask staff to use caution when opening email attachments
  • Install a spam filtering solution
  • Set up a personal firewall on workstations and configure the firewall to forbid unsolicited connection requests
  • Review web activity and think about using a web filter to prevent employees from visiting unsavory web pages
  • Scan all software installations before they are executed

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy