LokiBot malware now hides its source code in image files

The sophisticated malware has been upgraded to hide its source code in seemingly innocent images.
Written by Charlie Osborne, Contributing Writer

The LokiBot malware family has been given a significant upgrade with the ability to hide its source code in image files on infected machines. 

Known as steganography, the technique is used to hide messages or codes within various file formats, including .txt, .jpg, .rtf, and some video formats. 

While this practice can be implemented for legitimate purposes, such as the protection of files on intellectual property and copyright grounds, attackers can also embed files with triggers to hide source code and malware functionality. 

The developers of LokiBot have realized the potential of steganography for concealment. Trend Micro researchers Miguel Ang, Erika Mendoza, and Jay Yaneza said this week that a new variant of the malware uses the technique to hide its code.

During recent campaigns, the variant has hidden encrypted binaries inside .png files, found within malicious archive files attached to phishing emails. 

See also: Cyberattacks against industrial targets have doubled over the last 6 months

Trend Micro came across a sample in a phishing email sent to a company in Southeast Asia. The sample phishing email contained a Microsoft Word .doc attachment containing two objects, a Microsoft Excel 97-2003 Worksheet and a package labeled 'package.json.' A scan on VirusTotal uncovered other, similar samples containing steganographic elements. 

If a malicious file is opened, a script will install the malware as a .exe file in a temporary folder, alongside a .jpg file containing LokiBot source code. 

"One characteristic of the image file that we found interesting is that it can actually be opened as an image," the researchers note. "However, it also contains data that LokiBot references in its unpacking routine.'


The malware's loader will search for a particular string -- or "marker" -- within the image file, which begins the decryption process. Standard decryption, such as the AES ciphers, is not used; instead, the researchers say the malware uses its "own method of decryption" instead.

CNET: Huawei ban: Full timeline on how and why its phones are under fire

The decrypted content is then unpacked and loaded in memory, launching the malware on the target system. 

"One likely reason for this particular variant's reliance on steganography is that it adds another layer of obfuscation -- wscript (the VBS file interpreter) is used to execute the malware instead of the actual malware executing itself," Trend Micro says. "Since the autostart mechanism uses a script, future variants can choose to change the persistence method by modifying the script file on the fly."

LokiBot is able to steal information, act as a keylogger, and can establish backdoors in Windows systems to both maintain persistence and send stolen data to the attacker's command-and-control (C2) server. 

TechRepublic: Slack's new security features give enterprise admins more control over data

The researchers say that the new strain of LokiBot has been spotted in phishing emails sent to members of at least 56 organizations. 

"As one of the most active information stealers in the wild today, LokiBot shows no signs of slowing down," Trend Micro says. "The updates to its persistence and obfuscation mechanisms show that LokiBot is still being updated and will likely remain a threat to be dealt with in the near future."

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards