win.lokipws (Back to overview)

Loki Password Stealer (PWS)

aka: Loki, LokiPWS, LokiBot

Actor(s): The Gorgon Group

URLhaus        

"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMe

Loki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.

Loki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.

The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.

Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\ C98066\”.

There can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:

FILE EXTENSION FILE DESCRIPTION
.exe A copy of the malware that will execute every time the user account is logged into
.lck A lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts
.hdb A database of hashes for data that has already been exfiltrated to the C2 server
.kdb A database of keylogger data that has yet to be sent to the C2 server

If the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.

The first packet transmitted by Loki-Bot contains application data.

The second packet transmitted by Loki-Bot contains decrypted Windows credentials.

The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.

Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.

The first WORD of the HTTP Payload represents the Loki-Bot version.

The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:

BYTE PAYLOAD TYPE
0x26 Stolen Cryptocurrency Wallet
0x27 Stolen Application Data
0x28 Get C2 Commands from C2 Server
0x29 Stolen File
0x2A POS (Point of Sale?)
0x2B Keylogger Data
0x2C Screenshot

The 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!

Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.

The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.

Loki-Bot can accept the following instructions from the C2 Server:

BYTE INSTRUCTION DESCRIPTION
0x00 Download EXE & Execute
0x01 Download DLL & Load #1
0x02 Download DLL & Load #2
0x08 Delete HDB File
0x09 Start Keylogger
0x0A Mine & Steal Data
0x0E Exit Loki-Bot
0x0F Upgrade Loki-Bot
0x10 Change C2 Polling Frequency
0x11 Delete Executables & Exit

Suricata Signatures
RULE SID RULE NAME
2024311 ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected
2024312 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1
2024313 ET TROJAN Loki Bot Request for C2 Commands Detected M1
2024314 ET TROJAN Loki Bot File Exfiltration Detected
2024315 ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1
2024316 ET TROJAN Loki Bot Screenshot Exfiltration Detected
2024317 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2
2024318 ET TROJAN Loki Bot Request for C2 Commands Detected M2
2024319 ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2

References
https://isc.sans.edu/diary/24372
https://github.com/R3MRUM/loki-parse
http://www.malware-traffic-analysis.net/2017/06/12/index.html
https://www.lastline.com/blog/password-stealing-malware-loki-bot/
https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850
https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file
http://blog.fernandodominguez.me/lokis-antis-analysis/
https://phishme.com/loki-bot-malware/
https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/
https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/
https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/
https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf
https://securelist.com/loki-bot-stealing-corporate-passwords/87595/
Yara Rules
[TLP:WHITE] win_lokipws_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_lokipws_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 50 e8f16fffff 68fc684100 8d8ba6000000 }
            // n = 4, score = 1000
            //   50                   | push                eax
            //   e8f16fffff           | call                0x4031e5
            //   68fc684100           | push                0x4168fc
            //   8d8ba6000000         | lea                 ecx, dword ptr [ebx + 0xa6]

        $sequence_1 = { 50 e853030000 8b4d10 83c410 }
            // n = 4, score = 1000
            //   50                   | push                eax
            //   e853030000           | call                0x4053ac
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   83c410               | add                 esp, 0x10

        $sequence_2 = { 33c0 8dbd20feffff a5 a5 }
            // n = 4, score = 1000
            //   33c0                 | xor                 eax, eax
            //   8dbd20feffff         | lea                 edi, dword ptr [ebp - 0x1e0]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]

        $sequence_3 = { 33f6 898348170000 56 56 }
            // n = 4, score = 1000
            //   33f6                 | xor                 esi, esi
            //   898348170000         | mov                 dword ptr [ebx + 0x1748], eax
            //   56                   | push                esi
            //   56                   | push                esi

        $sequence_4 = { 50 0fb6859cfaffff 50 8d45a8 }
            // n = 4, score = 1000
            //   50                   | push                eax
            //   0fb6859cfaffff       | movzx               eax, byte ptr [ebp - 0x564]
            //   50                   | push                eax
            //   8d45a8               | lea                 eax, dword ptr [ebp - 0x58]

        $sequence_5 = { 33c9 33c0 894df4 83c410 }
            // n = 4, score = 1000
            //   33c9                 | xor                 ecx, ecx
            //   33c0                 | xor                 eax, eax
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   83c410               | add                 esp, 0x10

        $sequence_6 = { 0f57c0 660f1345f8 e9b9000000 8b4dd0 }
            // n = 4, score = 1000
            //   0f57c0               | xorps               xmm0, xmm0
            //   660f1345f8           | movlpd              qword ptr [ebp - 8], xmm0
            //   e9b9000000           | jmp                 0x4075a0
            //   8b4dd0               | mov                 ecx, dword ptr [ebp - 0x30]

        $sequence_7 = { 50 68acff0ddd 50 e8e20cffff }
            // n = 4, score = 1000
            //   50                   | push                eax
            //   68acff0ddd           | push                0xdd0dffac
            //   50                   | push                eax
            //   e8e20cffff           | call                0x4031e5

        $sequence_8 = { 50 e8cb41ffff 6a00 6a00 }
            // n = 4, score = 1000
            //   50                   | push                eax
            //   e8cb41ffff           | call                0x404cbf
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_9 = { 50 ff55f8 8bf0 83feff }
            // n = 4, score = 1000
            //   50                   | push                eax
            //   ff55f8               | call                dword ptr [ebp - 8]
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, 0xff

    condition:
        7 of them
}
Download all Yara Rules