Last Updated: 2018-02-07 00:41:03 UTC
by Brad Duncan (Version: 1)
Loki-Bot (also spelled "Loki Bot" or "LokiBot") is an information stealer that sends login credentials and other sensitive data from an infected Windows host to a server established for each malware sample. It's commonly distributed through malicious spam (malspam), and I usually run across samples of Loki-Bot every day. More information can be found in a SANS Reading Room paper written by Rob Pantazopoulos here.
Malspam pushing Loki-Bot doesn't follow specific patterns. Other malspam campaigns pushing Dridex, Emotet, or Hancitor have very similar emails, where the message text, links and/or attachment names follow specific patterns. This isn't true for Loki-Bot. I can never say if a particular malspam sample I run across will have Loki-Bot or something else until I examine the malware. Malspam pushing Loki-Bot doesn't seem as wide-scale as mass-distribution campaigns like those for Emotet or Hancitor. However, I can usually find at least one or two Loki-Bot malspam samples each day that have been submitted to VirusTotal.
To give you a better idea how different these emails are, I've collected three malspam samples pushing Loki-Bot: one from Monday 2018-02-05 and two from Tuesday 2018-02-06. If we examine these emails and their associated malware, we can get a better sense of malspam-based distribution for Loki-Bot.
General distribution patterns
I've only seen Loki-Bot distributed through malspam. I've not seen Loki-Bot distributed through web-based infection vectors like pop-up browser windows or exploit kits. But I have a limited field of view. If anyone has seen Loki-Bot come through web traffic not caused by malicious email attachments, please leave a comment for this diary.
Malspam pushing Loki-Bot uses email attachments. These attachments are either some sort of archive file containing a Loki-Bot executable, or the attachments are Microsoft Office documents designed to download and install Loki-Bot. In some cases, the documents are files that exploit vulnerabilities like CVE-2017-11882 (example here) to infect Windows hosts with Loki-Bot.
First email example: 2018-02-06 at 12:34 UTC
In the first example, traffic patterns and infection artifacts were fairly straight-forward. The Loki-Bot executable copied itself to a folder under the user's AppData\Roaming directory for persistence. No real surprises here.
- Date: Tue, 06 Feb 2018 13:34:06 +0100
- Received: from server1.bollywoodchaska.com ([22.214.171.124])
- From: "Mrs. Tamara Tollman" <email@example.com>
- Subject: PO-0003-01 | PO315-50 PO 750 Intercompany PO 2017-100029
- Attachment name: NEW ORDER REQUIRE.zip
- SHA256 hash: 4bb536902c2000f793d539d2887df264156dba1a97460c3ee139a4e1904131c9
- Extracted file: NEW ORDER REQUIRE.exe
- SHA256 hash: afb3edaf073c0d2435fac520ddc846261ff85040494999415657ce35b1246c66
- Post-infection traffic: 126.96.36.199 port 80 - liltem.flu.cc - POST /ml/vrs/sly/lok/panel/fre.php
Second email example: 2018-02-06 at 13:17 UTC
I've documented ISO attachments used in malspam pushing Loki-Bot back in October 2017, and ISO files were probably used well before that. Again, the traffic patterns and infection artifacts were fairly straight-forward. Again, the Loki-Bot executable copied itself to a folder under the user's AppData\Roaming directory for persistence. Again, no real surprises.
- Date: Tue, 6 Feb 2018 14:17:27 +0100
- Received: from mail.ivacbd.com ([188.8.131.52])
- From: "Chang Mei"<firstname.lastname@example.org>
- Subject: Re: Qoutation Order
- Attachment name: SCAN.pdf.r11 (an ISO file)
- SHA256 hash: 5348c7747c150dbc35328a5c89a0b64fa61f1911daf33b1ca24caa79e2eb55b7
- Extracted file: SCAN.pdf.com (a PE32 Windows executable)
- SHA256 hash: d722642b17e8897a092fc9f7b93cc002ee10f37f792171979f9d22f35a673e8c
- Post-infection traffic:
- 184.108.40.206 port 80 - festy18.info - POST /osy/fre.php
Third email example: 2018-02-05 at 15:03 UTC
This email was a bit different, because it had a Microsoft Excel spreadsheet with a malicious macro that downloaded the Loki-Bot executable. The Loki-Bot executable was made persistent through a Start Menu shortcut. I also saw an Loki-Bot-style entry in the Windows registry. However, that Windows registry entry ran a copy of Microsoft's COM Surrogate, a legitimate program re-named and saved to the usual Loki-Bot location. Perhaps that was a decoy. Otherwise, traffic patterns were as expected. The post-infection artifacts were a little unusual for Loki-Bot, though.
- Date: Mon, 05 Feb 2018 16:03:33 +0100
- Received: from mail.bexop.tk ([220.127.116.11])
- From: David Cooper <email@example.com>
- Subject: Request for Quotation
- Attachment name: REQ20180205.xls
- SHA256 hash: ed25239eaa51648ebe7b7597091f98d06e1c9e3e29e78dc865eb70818889b7ce
- Downloaded Loki-Bot: C:\Users\[username]\AppData\Local\Temp\manahj.exe
- SHA256 hash: adccbeba5792ef80048bcbb20f860d368dea9db35814b2c99447fbbe7f310230
- Post-infection traffic:
- 18.104.22.168 port 80 - kdotraky.com - POST /temp/Panel/five/fre.php
Within a 24 hour timeframe, I found three emails distributing Loki-Bot. Apart from the general use of an invoice, order, or quotation theme, the emails distributing Loki-Bot didn't have many similarities. With each of the attachments, the infection chain was slightly different, but the end result was the same type of Loki-Bot infection.
As always, the standard disclaimer applies: This malspam is no more dangerous than other types of malspam we see on a daily basis. As always, properly-administered Windows hosts are unlikely to get infected. For Windows hosts, system administrators and the technically inclined can implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.
The servers at festy18.info, kdotraky.com, and liltem.flu.cc are all associated with Loki-Bot. If they aren't blocked already, security personnel should block any web-based traffic to these domains if they can.
brad [at] malware-traffic-analysis.net