HHS Issues Warning Issued About LokiBot Malware
The Health Sector Cybersecurity Coordination Center (hC3) has published an Analyst Note about LokiBot – one of the most prevalent and persistent malware families. LokiBot, aka Loki PWS, has been used in attacks on a variety of industry sectors over the past 8 years, including critical infrastructure organizations; however, there has been a notable increase in the use of the malware since July 2020
The malware is used in attacks on Windows and Android devices and steals usernames, passwords, and other credentials from more than 100 different clients, along with cryptocurrency wallets and payment card information. The malware can take screenshots, log keystrokes, and steal cookies and system data, allowing multi-factor authentication to be bypassed. The malware also creates a backdoor in infected systems that allows attackers to deliver other malicious payloads such as ransomware.
LokiBot was first offered for sale in 2015 for $540 and proved popular due to its relatively low price. The malware is now better at evading security solutions, has more extensive capabilities, and its price has dropped to just $80, making it very popular with a wide range of threat actors. The source code for the malware was also leaked, which has allowed threat actors to develop their own versions of the malware.
LokiBot is distributed using a variety of methods, including spam, phishing, and spear phishing emails, primarily via malicious attachments although the malware may be distributed via emails with embedded hyperlinks to malicious websites. In 2020at the height of the pandemic, multiple threat actors conducted spear phishing campaigns spreading LokiBot via emails spoofing the World Health Organization that claimed to provide important information about COVID-19. In addition to distribution via email, the malware has been distributed via malicious websites and instant messaging services, as well as by exploiting unpatched vulnerabilities such as the Microsoft Office remote code execution vulnerability, CVE-2021-40444, and the Microsoft Office Support Diagnostic Tool remote code execution vulnerability, CVE-2022-30190.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
HC3 has shared a CISA-developed Snort signature for the malware and Indicators of Compromise (IoCs) in the Analyst Note, along with several recommended mitigations and cybersecurity best practices that make it more difficult for threat actors to install the malware. Since the malware is primarily delivered via email, anti-phishing protections, endpoint security solutions, multifactor authentication, and cybersecurity awareness training for the workforce are some of the key recommendations.
