Lokibot

Malware updated 6 months ago (2024-05-28T15:17:33.785Z)
Download STIX
Preview STIX
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information and disrupts operations. The malware utilizes a complex, multi-stage, multi-layered dropper to execute on the victim's machine. Various versions of this dropper have been identified, each carrying different types of final payloads such as LokiBot itself for credential theft, Remcos for remote access, and others. The malware operates by collecting credentials from various sources within the infected system and storing them in a buffer inside the malware. These credentials are then sent to the Command and Control (C2) server. In one instance, a Microsoft Word document initiated a chain leading to the installation of Remcos RAT, while a similar attack chain deployed XWorm RAT through an Excel file and LokiBot through an RTF document. This RTF document exploits a vulnerability, specifically CVE-2017-11882, which enables the download and execution of LokiBot. The cybercrime group responsible for LokiBot has a wide array of tools and malware at their disposal, including AgentTesla, FormBook, Remcos, LokiBot, GuLoader, Snake Keylogger, and XWorm. The analysis revealed a plethora of final-stage payloads delivered by these droppers, including Leonem, AgentTesla, SnakeLogger, RemLoader, Sabsik, LokiBot, Taskun, Androm, Upatre, and Remcos. The campaign demonstrates a high degree of sophistication and poses a significant threat to data security.
Description last updated: 2024-05-28T15:16:54.924Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Payload
Phishing
Fortiguard
Loki
Windows
Trojan
Dropper
Android
Exploit
Loader
Bot
Rat
Spam
Exploits
Injector
Remote Code ...
Remcos
Shellcode
Infostealer
Cybercrime
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Agenttesla Malware is associated with Lokibot. AgentTesla is a well-known Remote Access Trojan (RAT) and infostealer malware that has been used in numerous cyber-attacks. It is often delivered through malicious emails or downloads, and once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransUnspecified
6
The Formbook Malware is associated with Lokibot. Formbook is a type of malware, malicious software designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Formbook has been linked with other forms oUnspecified
6
The Redline Malware is associated with Lokibot. RedLine is a type of malware, a malicious software designed to exploit and damage computer systems. It often infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. RedLine has been favored by threat actorUnspecified
2
The Darkgate Malware is associated with Lokibot. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicioUnspecified
2
The malware Avemaria/warzonerat is associated with Lokibot. Unspecified
2
The Emotet Malware is associated with Lokibot. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, Unspecified
2
The Raccoon Malware is associated with Lokibot. Raccoon is a malicious software (malware) developed by Russian-speaking coders, first spotted in April 2019. It was designed to steal sensitive data such as credit card information, email credentials, cryptocurrency wallets, and more from its victims. The malware is offered as a service (MaaS) for $Unspecified
2
The Xworm Malware is associated with Lokibot. XWorm is a sophisticated piece of malware designed to infiltrate and exploit computer systems, often without the user's knowledge. It can be delivered through various means such as suspicious downloads, emails, or websites, and once inside a system, it can steal personal information, disrupt operatiUnspecified
2
The NETWIRE Malware is associated with Lokibot. NetWire is a type of malware, specifically a remote access trojan (RAT), that has been utilized for various malicious activities since at least 2014. Initially promoted as a legitimate tool for managing Windows computers remotely, NetWire was quickly adopted by cybercriminals and used in phishing atUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2017-11882 Vulnerability is associated with Lokibot. CVE-2017-11882 is a significant software vulnerability, specifically a flaw in the design or implementation of Microsoft's Equation Editor. This vulnerability has been exploited by various threat actors to create malicious RTF files, most notably by Chinese state-sponsored groups using the "Royal RoUnspecified
2
The CVE-2022-30190 Vulnerability is associated with Lokibot. CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized itUnspecified
2
The vulnerability CVE-2021-40444 is associated with Lokibot. Unspecified
2
Source Document References
Information about the Lokibot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
6 months ago
BankInfoSecurity
7 months ago
InfoSecurity-magazine
9 months ago
Fortinet
9 months ago
Securelist
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securelist
a year ago
Fortinet
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
InfoSecurity-magazine
a year ago