The LokiBot malware family has been given a significant upgrade with the ability to hide its source code in image files on infected machines.
Known as steganography, the technique is used to hide messages or codes within various file formats, including .txt, .jpg, .rtf, and some video formats.
While this practice can be implemented for legitimate purposes, such as the protection of files on intellectual property and copyright grounds, attackers can also embed files with triggers to hide source code and malware functionality.
The developers of LokiBot have realized the potential of steganography for concealment. Trend Micro researchers Miguel Ang, Erika Mendoza, and Jay Yaneza said this week that a new variant of the malware uses the technique to hide its code.
During recent campaigns, the variant has hidden encrypted binaries inside .png files, found within malicious archive files attached to phishing emails.
Trend Micro came across a sample in a phishing email sent to a company in Southeast Asia. The sample phishing email contained a Microsoft Word .doc attachment containing two objects, a Microsoft Excel 97-2003 Worksheet and a package labeled 'package.json.' A scan on VirusTotal uncovered other, similar samples containing steganographic elements.
If a malicious file is opened, a script will install the malware as a .exe file in a temporary folder, alongside a .jpg file containing LokiBot source code.
"One characteristic of the image file that we found interesting is that it can actually be opened as an image," the researchers note. "However, it also contains data that LokiBot references in its unpacking routine.'
The malware's loader will search for a particular string -- or "marker" -- within the image file, which begins the decryption process. Standard decryption, such as the AES ciphers, is not used; instead, the researchers say the malware uses its "own method of decryption" instead.
The decrypted content is then unpacked and loaded in memory, launching the malware on the target system.
"One likely reason for this particular variant's reliance on steganography is that it adds another layer of obfuscation -- wscript (the VBS file interpreter) is used to execute the malware instead of the actual malware executing itself," Trend Micro says. "Since the autostart mechanism uses a script, future variants can choose to change the persistence method by modifying the script file on the fly."
LokiBot is able to steal information, act as a keylogger, and can establish backdoors in Windows systems to both maintain persistence and send stolen data to the attacker's command-and-control (C2) server.
The researchers say that the new strain of LokiBot has been spotted in phishing emails sent to members of at least 56 organizations.
"As one of the most active information stealers in the wild today, LokiBot shows no signs of slowing down," Trend Micro says. "The updates to its persistence and obfuscation mechanisms show that LokiBot is still being updated and will likely remain a threat to be dealt with in the near future."
Previous and related coverage
- Microsoft launches Azure Security Lab, expands bug bounty rewards
- MegaCortex ransomware slams enterprise firms with $5.8 million blackmail demands
- Google, Arm team up to tackle memory vulnerabilities through MTE
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0