CISA Advisory on the LokiBot Malware Activity Spike

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) published a warning immediately after observing a rising trend in LokiBot malware activity within the last two months.

LokiBot, which is also called Loki-bot, Lokibot, and Loki PWS, had its first appearance in 2015. It was used for stealing data, for instance, credentials and other sensitive data. The malware strikes Android and Windows OS’s and utilizes a keylogger to record login details. It likewise monitors the activities of the browser and desktop of victim devices. LokiBot is able to steal credentials from various applications and data sources, including Firefox, Chrome and Safari web browsers. It takes credentials employed for sFTP and FTP clients and email accounts.

The malware is used for stealing other sensitive information and cryptocurrency wallets by setting up backdoors in devices to get sustained access, permitting the attackers to put in even more malicious payloads.

The malware connects with its Command and Control Server and exfiltrates data by way of HyperText Transfer Protocol. The malware uses process hollowing to get itself into Windows processes such as vbc.exe to avoid discovery. The malware can also replicate itself and store itself in a hidden file and directory.

The LokiBot is a fairly basic malware, still, a number of threat actors prefer using this malware. It is utilized in many instances of data compromise. By July, the EINSTEIN Intrusion Detection System of CISA has identified a substantial growth in LokiBot activity.

LokiBot is commonly transmitted as a malicious file attachment in email messages; but, beginning in July, cybercriminals are distributing malware in a variety of ways like hyperlinking to web pages that host the malware and sending through SMS or text messaging applications.

Data stealers have come to be popular during the COVID-19 outbreak, specifically LokiBot. F-Secure said that in the first six months of 2020, LokiBot was the most commonly found data stealer.

CISA has given recommendations to support protection against LokiBot as well as other data stealers:

  • Using antivirus software program and updating the virus definition listings
  • Not using file and printer sharing services. If it cannot be avoided, set strong passwords or utilize ID authentication
  • Patching vulnerabilities promptly
  • Securing the accounts with multi-factor authentication
  • Use only strong passwords
  • Control user permissions to install software apps
  • Train employees appropriately and motivate them to maintain careful attention when opening email attachments
  • Employ a spam filtering program
  • Use workstations with a personal firewall and set it up to deny unsolicited interconnection requests
  • Track web activity and utilize a web filter so that employees can’t visit disagreeable sites
  • Scan all software downloaded online before letting it run