Cybersecurity and Infrastructure Security Agency or CISA has recently issued a security advisory notice for US Federal Government organizations and private sectors about increasing LokiBot malware usage cases by threat actors that started in July 2020.
EINSTEIN Intrusion Detection System, the in-house security platform CISA uses, has detected continuous malicious activities that can be traced back to the LokiBot malware-infected systems and devices. The detected spike over the previous 3 months starting July was also confirmed by other security researcher groups.
This is indeed alarming because LokiBot is identified as one of today’s most widespread and most potent malware strains. It is also known under the name Loki, Loki PWS. This trojan is categorized under an information stealer as its primary function.
This information stealer malware works by infecting computers and then deploying its built-in capabilities to search the locally installed applications and work its way to extract credentials within the local app’s internal databases. By default, LokiBot targets are web browsers, cryptocurrency wallets, email client apps, and FTP services apps.
LokiBot malware is far more than an information stealer. Over some period, this malware evolved where new capabilities were observed.
It can now track get information via a key-logging feature in real-time to capture pressed keys and keystrokes to steal passwords on accounts that are not stored on the local internal database of an application. A desktop screen utility feature to capture documents opened on the infected desktops and servers.
It also serves as a backdoor to allow hackers and attackers to execute other variants of malware and trojans remotely to further escalate the cyber-attack level.
This trojan malware made its debut back in mid-2010, where it was offered and sold on underground hacker’s forums. Eventually, the LokiBot malware has become widely distributed and pirated for years as a free hacking app until becoming today’s one of the most famous password stealers primarily being used by low to mid-level skilled threat actors globally.
Multiple groups currently distribute this malware via several different techniques such as email spamming, cracked installer, and embedded scripts within torrent files; hence, everyone needs to take the necessary precautions.
The credentials stolen by the malware are usually found being sold within the dark web and other underground marketplaces like Genesis.
We can only advise to improve the detection and mitigation of malicious activities, cyber-attacks, and dealing with infections to avoid being victimized by LokiBot malware information stealer and other malware variants that run rampant in today’s digital environment.