CISA warns of notable increase in LokiBot malware

"CISA has observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020."
Written by Catalin Cimpanu, Contributor

The US government's cyber-security agency has issued a security advisory today warning federal agencies and the private sector about "a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020."

The Cybersecurity and Infrastructure Security Agency (CISA) said that its in-house security platform (the EINSTEIN Intrusion Detection System) has detected persistent malicious activity traced back to LokiBot infections.

The July spike in LokiBot activity seen by CISA was also confirmed by the Malwarebytes Threat Intelligence team, which told ZDNet in an interview today that they've also seen a similar spike in LokiBot infections over the past three months.

Image: Malwarebytes (supplied)

This is a cause of alarm as LokiBot is one of today's most dangerous and widespread malware strains. Also known as Loki or Loki PWS, the LokiBot trojan is a so-called "information stealer."

It works by infecting computers and then using its built-in capabilities to search for locally installed apps and extract credentials from their internal databases.

By default, LokiBot can target browsers, email clients, FTP apps, and cryptocurrency wallets.

However, the malware is far more than a mere infostealer. Across time, LokiBot evolved and now also comes with a real-time key-logging component to capture keystrokes and steal passwords for accounts that aren't always stored in a browser's internal database, and a desktop screenshot utility to capture documents after they've been opened on the victim's computer.

Furthermore, LokiBot also functions as a backdoor, allowing hackers to run other pieces of malware on infected hosts, and potentially escalate attacks.

The malware made its debut in the mid-2010s when it was first offered for sale on underground hacking forums. Since then, the LokiBot malware has been pirated and broadly distributed for free for years, becoming one of today's most popular password stealers, primarily among groups of low- and medium-skilled threat actors.

Multiple groups are currently distributing the malware, via a wide variety of techniques, from email spam to cracked installers and boobytrapped torrent files.

In terms of prevalence and numbers, SpamHaus ranked LokiBot as the malware strain with the most active command-and-control (C&C) servers in 2019. In the same ranking, LokiBot is currently second in the first half of 2020 [PDF].

LokiBot also ranks third on AnyRun's all-time ranking of the most analyzed malware strains on its malware sandboxing service.

Credentials stolen via LokiBot usually end up on underground marketplaces like Genesis, where KELA believes LokiBot is the second most popular type of malware that supplies the store.

The CISA LokiBot advisory published today contains detection and mitigation advice on dealing with LokiBot attacks and infections. Additional resources for studying and learning about LokiBot are available on its Malpedia entry.

LokiBot should not be confused with a similarly named, now-defunct Android trojan.

The 15 top malware threats facing you and your organisation

Editorial standards