Lokibot is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. Lokibot can also create a backdoor into infected systems to allow an attacker to install additional payloads.[1][2][3]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control | |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Lokibot has used PowerShell commands embedded inside batch scripts.[4] |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Lokibot has used |
||
.005 | Command and Scripting Interpreter: Visual Basic |
Lokibot has used VBS scripts and XLS macros for execution.[4] |
||
Enterprise | T1555 | Credentials from Password Stores |
Lokibot has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients.[1] |
|
.003 | Credentials from Web Browsers |
Lokibot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.[1] |
||
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Lokibot has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR.[4] |
|
Enterprise | T1041 | Exfiltration Over C2 Channel |
Lokibot has the ability to initiate contact with command and control (C2) to exfiltrate stolen data.[5] |
|
Enterprise | T1083 | File and Directory Discovery |
Lokibot can search for specific files on an infected host.[4] |
|
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Lokibot has the ability to copy itself to a hidden file and directory.[1] |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Lokibot will delete its dropped files after bypassing UAC.[4] |
Enterprise | T1105 | Ingress Tool Transfer |
Lokibot downloaded several staged items onto the victim's machine.[4] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging |
Lokibot has the ability to capture input on the compromised host via keylogging.[5] |
Enterprise | T1112 | Modify Registry |
Lokibot has modified the Registry as part of its UAC bypass process.[4] |
|
Enterprise | T1106 | Native API |
Lokibot has used LoadLibrary(), GetProcAddress() and CreateRemoteThread() API functions to execute its shellcode.[4] |
|
Enterprise | T1027 | Obfuscated Files or Information | ||
.002 | Software Packing |
Lokibot has used several packing methods for obfuscation.[1] |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Lokibot is delivered via a malicious XLS attachment contained within a spearhpishing email.[4] |
Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Lokibot has used process hollowing to inject itself into legitimate Windows process.[1][4] |
Enterprise | T1620 | Reflective Code Loading |
Lokibot has reflectively loaded the decoded DLL into memory.[4] |
|
Enterprise | T1053 | Scheduled Task/Job |
Lokibot's second stage DLL has set a timer using "timeSetEvent" to schedule its next execution.[4] |
|
.005 | Scheduled Task |
Lokibot embedded the commands |
||
Enterprise | T1082 | System Information Discovery |
Lokibot has the ability to discover the computer name and Windows product name/version.[5] |
|
Enterprise | T1016 | System Network Configuration Discovery |
Lokibot has the ability to discover the domain name of the infected host.[5] |
|
Enterprise | T1033 | System Owner/User Discovery |
Lokibot has the ability to discover the username on the infected host.[5] |
|
Enterprise | T1204 | .002 | User Execution: Malicious File |
Lokibot has tricked recipients into enabling malicious macros by getting victims to click "enable content" in email attachments.[6][4] |
Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Lokibot has performed a time-based anti-debug check before downloading its third stage.[4] |
ID | Name | References |
---|---|---|
G0083 | SilverTerrier |