The Lokibot malware is a Banking Trojan designed for information theft. It’s been around since 2015 and has targeted many users for quite some time. The original malware was created by “Carter”, a.k.a. “Lokistov”. It was then sold and distributed on the underground market (dark web) for prices ranging from $80 to as high as $350. It spread like wildfire and sold again and again. It was speculated that the original source code for this malware was leaked and this gave other hackers the perfect opportunity to modify it for their own nefarious purposes.
Coincidentally, a researcher named “d00rt” on Twitter discovered a user who made some small-scale yet significant patching to the original source code without even having access to it. As amazing as it sounds, this somehow paved the way for hackers to get creative and amend the malware’s specifications for stealing data. The changes enabled these cyber criminals to set up their own unique domains to retrieve and house the stolen data.
Experts investigating the incident revealed that they were able to acquire samples of the Lokibot malware from the “dark web” and analyzed it. The samples were heavily encrypted using Triple DES algorithm and a single one with an XOR coding. They’ve also found indications of the Trojans reverting back to the C&C server where the stolen data is supposed to be sent. Using the string function “Decrypt3DESstring”, the malware automatically decrypts any encrypted strings in order to take the URL of the control server. After careful analysis and comparison, the Decrypt3DESstring used is totally different from the older versions of the Lokibot malware.
Later progress in the investigation also uncovered builder programs on the dark web being used to customize and enforce the malware according to their liking. Just like the original malware, these items are also for sale. And just so you know – as of this writing, the original creator of the malware, “Lokistov” has just released a new version of the Lokibot. Dubbed “Lokibot 2.0”, it is now being offered for sale on the underground market. I guess we’ll just have to wait to find out what its capable of.