CISA Issues Alert Following Surge in LokiBot Malware Activity

Share this article on:

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert following a surge in LokiBot malware activity over the past two months.

LokiBot – also known as Lokibot, Loki PWS, and Loki-bot – first appeared in 2015 and is an information stealer used to steal credentials and other sensitive data from victim machines. The malware targets Windows and Android operating systems and employs a keylogger to capture usernames and passwords and monitors browser and desktop activity. LokiBot can steal credentials from multiple applications and data sources, including Safari, Chrome, and Firefox web browsers, along with credentials for email accounts, FTP and sFTP clients.

The malware is also capable of stealing other sensitive information and cryptocurrency wallets and can create backdoors in victims’ machines to provide persistent access, allowing the operators of the malware to deliver additional malicious payloads.

The malware establishing a connection with its Command and Control Server and exfiltrates data via HyperText Transfer Protocol. The malware has been observed using process hollowing to insert itself into legitimate Windows processes such as vbc.exe to evade detection. The malware can also create a duplicate of itself, which is saved to a hidden file and directory.

The malware may be relatively simple, but that has made it an attractive tool for a wide range of threat actors and LokiBot is used in a wide variety of data compromise use cases.  Since July, CISA’s EINSTEIN Intrusion Detection System identified a significant increase in LokiBot activity.

LokiBot is most commonly distributed via email as a malicious attachment; however, since July, the malware has been distributed in a variety of different ways, such as links to websites hosting the malware sent by SMS and via text messaging apps.

Information stealers have proven popular during the COVID-19 pandemic, especially LokiBot. LokiBot was the most commonly detected information stealer in the first half of 2020, according to F-Secure.

CISA has shared best practices to adopt to strengthen defenses against LokiBot and other information stealers. These include:

  • Deploying antivirus software and ensuring virus definition lists are kept up to date
  • Applying patches for vulnerabilities promptly
  • Disabling file and printer sharing services. If not possible, set strong passwords or use AD authentication
  • Use multi-factor authentication on accounts
  • Restrict user permissions to install and run software applications
  • Enforce the use of strong passwords
  • Provide training to the workforce and encourage workers to exercise caution when opening email attachments
  • Deploy a spam filtering solution
  • Use a personal firewall on workstations and configure the firewall to deny unsolicited connection requests
  • Monitor web activity and consider using a web filter to prevent employees from accessing unsavory websites
  • Scan all software downloaded from the Internet prior to executing

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On