- The Lokibot variant hides the encrypted binary inside the image file until the main LokiBot code is decrypted in memory.
- This technique not only enables LokiBot to evade detection but also helps the malware gain persistence on the infected system.
Researchers from Trend Micro spotted a new variant of LokiBot info-stealer malware that uses a steganography technique to hide its code required for unpacking routine.
A brief overview
Researchers detected an email sample that contained the malicious LokiBot attachment.
- The attachment included a Microsoft Excel 97-2003 worksheet and a package labeled ‘package.json’.
- Upon executing the attachment, the document displayed a Microsoft Excel worksheet, that would execute the VBS macro code embedded in the worksheet.
Researchers also found similar samples between June 24, 2019, and July 05, 2019 with file names exe / bpxssh.jpg, exe / sittey.jpg, and exe / jkcgjj.jpg.
These samples arrived in malicious spam emails containing Rich Text Format (RTF) file attachment. The RTF file included an embedded Excel OLE object that uses Windows Management Instrumentation (WMI) and PowerShell to download and execute LokiBot.
More details on the new variant
- This new LokiBot variant initially installs itself as %Temp%\[filename].exe along with an image file (%temp%\[filename].jpg).
- The image file contains data that LokiBot references in its unpacking routine.
- LokiBot uses a steganography technique to hide the encrypted binary that will be used throughout the different unpacking stages, inside the image file.
- After the initial installation, LokiBot creates a directory in %appdatalocal% where the Loki binary and the image will be placed.
- The malware then drops a Visual Basic script (VBS) file that then runs the LokiBot file.
- After this, LokiBot also creates an autostart registry that points to the VBS file as a persistence mechanism.
- Later, the main LokiBot code is finally loaded and executed.
The image file hides the encrypted binary until the main LokiBot code is decrypted in memory. The Lokibot variant hides the encrypted binary inside the image file by looking for the “marker” that signifies the start of the encrypted file.
After locating the file, the malware begins the decryption process. The decrypted file is then loaded for the later stages of unpacking. It is to be noted that LokiBot uses its own method for decryption.
“One likely reason for this particular variant’s reliance on steganography is that it adds another layer of obfuscation — wscript (the VBS file interpreter) is used to execute the malware instead of the actual malware executing itself. Since the autostart mechanism uses a script, future variants can choose to change the persistence method by modifying the script file on the fly,” researchers said in a blog.
The bottom line
Steganography technique not only enables LokiBot to evade detection but also helps the malware gain persistence on the infected system.