The Lokibot malware is used by cyberattackers primarly for stealing credentials from a compromised system. In a recent campaign, a new version of the malware has been found equipped with more misdirection and anti-analysis features.
This new campaign uses a complex, multi-stage, multi-layered dropper to execute Lokibot on the target machine. The developers behind this stealer have now added a third stage to its infection chain, along with more encryption layers.
- Recent attacks used multiple attack techniques, including social engineering for luring users into enabling macros on Microsoft Office, images for hiding code, and full and wide encryption of resources.
- The Lokibot dropper now uses three stages in which each has a layer of encryption to hide the eventual source of code. Involving malicious actions at different stages provides this malware with comparably better stealth capabilities.
- The first stage includes a malicious XLS attachment sent in a phishing email. The attachment includes an obfuscated macro that downloads a packed second-stage downloader.
- Subsequently, the second stage initiates the encrypted third-stage. After a privilege escalation exploitation, the third stage delivers Lokibot.
Recent credential-stealing activities
There are many more credential stealers in the underground marketplace actively targeting potential victims.
- At present, Oski, a stealer of Russian origin that can steal credentials from 60 different applications, is gaining popularity on underground forums.
- Two weeks ago, an AutoHotkey-based credential stealer was observed targeting customers of financial organizations located in the U.S. and Canada.
Cybercriminals are now getting more sophisticated in hiding their malicious code from security solutions. Thus, experts suggest proactively looking out for intelligence on ongoing campaigns, and how the attackers use different techniques, tactics, and procedures to trick users and compromise their systems.