LokiBot is an information stealer that comes with a range of built-in capabilities to extract information from different applications and files. The malware was first spotted in mid-2010 when it was being sold on underground hacking forums. Recently, the U.S. government's cybersecurity agency, CISA, issued a security advisory regarding increased cases of infections.

How does it spread?

The trojan is widely available as a pirated software and has been distributed for free for years among cybercriminals.
  • Cybercriminals usually spread malware via email, malicious websites, text, and private messages. LokiBot steals credentials by using a keylogger to monitor browser and desktop activities.
  • In addition to this, the trojan can create a backdoor to install additional payloads on infected systems.

Recent attacks using this trojan

Even though the trojan is old, cybercriminals are still using it frequently to steal sensitive information. 
  • Last month, a malspam campaign was discovered distributing LokiBot payloads in a spear-phishing attack on a U.S. manufacturing company.
  • In July, a group of actors known as RATicate launched 14 separate campaigns and distributed payload of LokiBot (along with other malware) between November 2019 and March 2020.
  • In June, adversaries spread the malware via a malspam campaign that used ISO image files as attachments.

Evolution of LokiBot 

From a mere infostealer, LokiBot has evolved a lot and now it comes with a wide variety of features and capabilities. To date, it can perform real-time key-logging, desktop screenshot utility, functioning as a backdoor, and more. The trojan could also be used by cybercriminals to escalate their attacks.

Ending note

The trojan is continuously evolving and the recent advisory clearly indicates that its operators are planning rapid expansion in targeted attacks. Experts recommend organizations to regularly update antivirus solutions, install the latest patches, enable multi-factor authentication, apply strong password policy, and restrict access to malicious websites.

Cyware Publisher