DHS CISA Alerts to Rise in Credential Theft-Focused LokiBot Malware

September 23, 2020 - The Department of Homeland Security Cybersecurity and Infrastructure Security Agency and Multi-State Information Sharing & Analysis Center (MS-ISAC) released an alert warning of an increase in LokiBot malware through the cyberattacks aimed at credential theft and information stealing, often sent in malicious email attachments. 

Credential theft is a common risk in the healthcare sector, and hackers have increasingly targeted providers through social engineering attempts and spoofed login pages in recent years. With the onset of the COVID-19 pandemic, these attempts have only increased. Currently, there are 15 billion credentials for sale on the dark web, Digital Shadows recently reported. 

First observed in 2015, LokiBot leverages trojan malware in order to steal sensitive information, including usernames, passwords, cryptocurrency wallets, and other credentials, by leveraging a keylogger to monitor desktop and browser activities. 

Its hackers were last observed in February 2020 by Trend Micro, impersonating a launcher for the popular video game known as Fortnite. 

The malware is also capable of creating backdoors into the networks of victims, which would allow a hacker to install additional malicious payloads. Hackers commonly use LokiBot on targeted Windows and Android operating systems, which distribute the virus through email, websites, text, and private messages. 

READ MORE: COVID-19 PPE Phishing Campaign Delivers Agent Tesla RAT Malware

Since July, CISA’s EINSTEIN Intrusion Detection System has observed a significant increase in LokiBot activities through simple and effective means, commonly sent as malicious attachments, which make “it an attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.” 

LokiBot has a range of techniques, which include discovering the victim’s domain name, username, computer name, and Windows product/version, using obfuscated strings with base64 encoding, and several obfuscation packing methods. The variant can also initiate contact with the command and control server to exfiltrate sensitive data. 

Further, researchers have observed LokiBot using process hollowing to inject into legitimate Windows process vbc.exe and HyperText Transfer Protocol for command and control. The malware can also duplicate itself to a hidden file and directory. 

Observed attack methods include malicious documents contained in spear-phishing emails and stolen credentials from multiple applications and data sources, such as Chromium, Mozilla, and Safari. 

DHS CISA provided recommendations for both government agencies and private sector organizations to bolster their best practices to defend against these attacks. Network administrators were reminded to maintain up-to-date antivirus signatures and engines and keep operating systems up to date. 

READ MORE: CISA Alerts to Phishing Campaign Deploying KONNI RAT Malware

File and printer sharing services should be disabled, and multi-factor authentication and strong password policies should be enforced. Administrators should also restrict user permissions when it comes to installing and running unwanted software applications, while users should not be added to the local administrators’ group unless it’s required. 

Employees should be reminded to exercise caution when opening email attachments, even if an attachment it expected and the sender appears to be known. Personal firewalls should also be enabled on agency workstations and configured to deny unsolicited connection requests. 

Administrators should disable unnecessary services on agency workstations and servers, while routinely scanning for and removing email attachments. Further, they should make sure scanned attachments are the “true file type,” meaning the extension matches the file header. 

Web browsing habits should be monitored and access to sites with unfavorable content should be restricted, and all software downloaded from the internet should be scanned before execution. Administrators must also “maintain situational awareness of the latest threats and implement appropriate access control lists.”

“The recent advisory on the LokiBot malware is another indication of how malware authors have turned their malicious activities into a scalable business model," Saryu Nayyar, CEO Gurucul, said in an emailed statement. "The fact that LokiBot has been around for over four years and has gained in capability over time is a reflection of how much malicious actors have advanced the state of their art, leveraging the same development models we use in the commercial space." 

"Using a combination of data sources for telemetry, it's possible to analyze events as they happen and identify malicious user or system behaviors," she added. "This lets an organization mitigate these attacks before they can cause serious damage.”