Lokibot

Malware updated 3 months ago (2024-05-28T15:17:33.785Z)
Download STIX
Preview STIX
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information and disrupts operations. The malware utilizes a complex, multi-stage, multi-layered dropper to execute on the victim's machine. Various versions of this dropper have been identified, each carrying different types of final payloads such as LokiBot itself for credential theft, Remcos for remote access, and others. The malware operates by collecting credentials from various sources within the infected system and storing them in a buffer inside the malware. These credentials are then sent to the Command and Control (C2) server. In one instance, a Microsoft Word document initiated a chain leading to the installation of Remcos RAT, while a similar attack chain deployed XWorm RAT through an Excel file and LokiBot through an RTF document. This RTF document exploits a vulnerability, specifically CVE-2017-11882, which enables the download and execution of LokiBot. The cybercrime group responsible for LokiBot has a wide array of tools and malware at their disposal, including AgentTesla, FormBook, Remcos, LokiBot, GuLoader, Snake Keylogger, and XWorm. The analysis revealed a plethora of final-stage payloads delivered by these droppers, including Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre, and Remcos. The campaign demonstrates a high degree of sophistication and poses a significant threat to data security.
Description last updated: 2024-05-28T15:16:54.924Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Payload
Phishing
Fortiguard
Loki
Windows
Trojan
Dropper
Android
Exploit
Loader
Bot
Rat
Spam
Exploits
Injector
Remote Code ...
Remcos
Shellcode
Infostealer
Cybercrime
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
AgentteslaUnspecified
6
AgentTesla is a well-known remote access trojan (RAT) that has been used extensively in cybercrime operations. It infiltrates systems through various methods, including malicious emails and suspicious downloads. Once inside, it can steal personal information, disrupt operations, or hold data hostage
FormbookUnspecified
6
Formbook is a type of malware, short for malicious software, designed to exploit and damage computers or devices. It was first discovered in 2016 and has since been used in various cyber attacks worldwide. The malware can infect systems through suspicious downloads, emails, or websites, often withou
RedlineUnspecified
2
RedLine is a notorious malware that has been widely used by cybercriminals to steal sensitive information. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can cause significant damage by stealing personal data or disrupting operations. RedLine's conf
DarkgateUnspecified
2
DarkGate is a malicious software (malware) designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Once embedded in a system, DarkGate can steal personal information, disrupt operations, or hold data for ransom. Recently, the malware was
Avemaria/warzoneratUnspecified
2
None
EmotetUnspecified
2
Emotet is a highly dangerous and insidious type of malware that has been active, particularly during recent summers. It is distributed primarily through documents attached to emails, using conversations found in compromised accounts. Once an unsuspecting user clicks either the enable button or an im
RaccoonUnspecified
2
Raccoon is a type of malware, specifically an infostealer, used predominantly by the Scattered Spider threat actors to obtain login credentials, browser cookies, and histories. This malicious software, which is sold as Malware-as-a-Service (MaaS) on dark web forums, is both effective and inexpensive
XwormUnspecified
2
XWorm is a multifaceted malware that has been observed to exploit vulnerabilities in ScreenConnect, a remote access software. This malware provides threat actors with remote access capabilities and the potential to spread across networks, exfiltrate sensitive data, and download additional payloads.
NETWIREUnspecified
2
NetWire is a type of malware, specifically a remote access trojan (RAT), that has been utilized for various malicious activities since at least 2014. Initially promoted as a legitimate tool for managing Windows computers remotely, NetWire was quickly adopted by cybercriminals and used in phishing at
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
CVE-2017-11882Unspecified
2
CVE-2017-11882 is a significant software vulnerability, specifically a flaw in the design or implementation of Microsoft's Equation Editor. This vulnerability has been exploited by various threat actors to create malicious RTF files, most notably by Chinese state-sponsored groups using the "Royal Ro
CVE-2022-30190Unspecified
2
CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it
CVE-2021-40444Unspecified
2
None
Source Document References
Information about the Lokibot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
3 months ago
Static Unpacking for the Widespread NSIS-based Malicious Packer Family - Check Point Research
BankInfoSecurity
5 months ago
Steganography Campaign Targets Global Enterprises
InfoSecurity-magazine
7 months ago
“TicTacToe Dropper” Malware Distribution Tactics Revealed
Fortinet
7 months ago
TicTacToe Dropper | FortiGuard Labs
Securelist
9 months ago
Kaspersky malware report for Q3 2023
CERT-EU
10 months ago
November 2023 Product Release News
BankInfoSecurity
10 months ago
Info Stealers Thrive in Hot Market for Stolen Data
CERT-EU
a year ago
Microsoft to kill off VBScript in Windows to block malware delivery
CERT-EU
a year ago
Microsoft to kill off VBScript in Windows to block malware delivery
CERT-EU
a year ago
Mirai Botnet’s New Wave: hailBot,kiraiBot, catDDoS, and Their Fierce Onslaught
CERT-EU
a year ago
Unpacking what's packed: DotRunPeX analysis
CERT-EU
a year ago
The Hidden Dangers of Remote Code Execution (RCE) Exploits in Word Documents
CERT-EU
a year ago
LokiBot Information Stealer Packs Fresh Infection Strategies
CERT-EU
a year ago
DotRunpeX Malware Injector Widely Delivers Known Malware Families to Attack Windows
CERT-EU
a year ago
What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot – Cyber Security Review
Securelist
a year ago
Kaspersky crimeware report: Emotet, DarkGate and LokiBot
Fortinet
a year ago
LokiBot Campaign Targets Microsoft Office Document Using Vulnerabilities and Macros | FortiGuard Labs
CERT-EU
a year ago
Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware – GIXtools
BankInfoSecurity
a year ago
Latest LokiBot Campaign Exploits Malicious MS Documents
InfoSecurity-magazine
a year ago
LokiBot Malware Targets Windows Users in Office Document Attacks