Lokibot

Lokibot is a malware designed to collect credentials and security tokens from an infected machine. Lokibot has also been used to establish backdoors in enterprise environments.[1][2]

ID: S0447
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 14 May 2020
Last Modified: 18 May 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Lokibot has used HTTP for C2 communications.[1]

Enterprise T1555 Credentials from Password Stores

Lokibot has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients.[1]

.003 Credentials from Web Browsers

Lokibot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Lokibot has the ability to initiate contact with command and control (C2) to exfiltrate stolen data.[4]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Lokibot has the ability to copy itself to a hidden file and directory.[1]

Enterprise T1056 .001 Input Capture: Keylogging

Lokibot has the ability to capture input on the compromised host via keylogging.[4]

Enterprise T1027 Obfuscated Files or Information

Lokibot has obfuscated strings with base64 encoding.[1]

.002 Software Packing

Lokibot has used several packing methods for obfuscation.[1]

Enterprise T1055 .012 Process Injection: Process Hollowing

Lokibot has used process hollowing to inject into legitimate Windows process vbc.exe.[1]

Enterprise T1082 System Information Discovery

Lokibot has the ability to discover the computer name and Windows product name/version.[4]

Enterprise T1016 System Network Configuration Discovery

Lokibot has the ability to discover the domain name of the infected host.[4]

Enterprise T1033 System Owner/User Discovery

Lokibot has the ability to discover the username on the infected host.[4]

Enterprise T1204 .002 User Execution: Malicious File

Lokibot has been executed through malicious documents contained in spearphishing e-mails.[3]

Groups That Use This Software

ID Name References
G0083 SilverTerrier

[5]

References