Researchers from Trend Micro spotted a new variant of LokiBot info-stealer malware that uses a steganography technique to hide its code required for unpacking routine.
A brief overview
Researchers detected an email sample that contained the malicious LokiBot attachment.
Researchers also found similar samples between June 24, 2019, and July 05, 2019 with file names exe / bpxssh.jpg, exe / sittey.jpg, and exe / jkcgjj.jpg.
These samples arrived in malicious spam emails containing Rich Text Format (RTF) file attachment. The RTF file included an embedded Excel OLE object that uses Windows Management Instrumentation (WMI) and PowerShell to download and execute LokiBot.
More details on the new variant
The image file hides the encrypted binary until the main LokiBot code is decrypted in memory. The Lokibot variant hides the encrypted binary inside the image file by looking for the “marker” that signifies the start of the encrypted file.
After locating the file, the malware begins the decryption process. The decrypted file is then loaded for the later stages of unpacking. It is to be noted that LokiBot uses its own method for decryption.
“One likely reason for this particular variant’s reliance on steganography is that it adds another layer of obfuscation — wscript (the VBS file interpreter) is used to execute the malware instead of the actual malware executing itself. Since the autostart mechanism uses a script, future variants can choose to change the persistence method by modifying the script file on the fly,” researchers said in a blog.
The bottom line
Steganography technique not only enables LokiBot to evade detection but also helps the malware gain persistence on the infected system.