LokiBot trojan malware campaign comes disguised as a popular game launcher

The latest version of the information-stealing trojan malware is likely spammed out to victims in bulk, and uses a clever trick to bypass security software.
Written by Danny Palmer, Senior Writer

Cyber criminals are distributing a powerful form of trojan malware to victims by disguising it as a launcher for one of the world's most popular video games.

LokiBot trojan malware first emerged in 2015 and remains very popular among cyber criminals as a means of creating a backdoor into infected Windows systems. It steals sensitive information from victims – including usernames, passwords, bank details and the contents of cryptocurrency wallets – via the use of a keylogger that monitors browser and desktop activity.

Now a new LokiBot campaign is attempting to infect users by impersonating the launcher for Epic Games, the developer behind highly popular online multiplayer video game Fortnite.

This newly uncovered LokiBot campaign has been discovered and detailed by cybersecurity researchers at Trend Micro, who note that it uses an unusual installation routine to help avoid detection by antivirus software.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    

Researchers told ZDNet that they believe the fake downloader is distributed via spam phishing emails sent out in bulk to potential targets, as this is historically the most common way for LokiBot attacks to begin.  

Downloading and running the false Epic Games launcher, which uses the company logo to look legitimate, will initiate the infection process. This begins with the malware dropping two separate files – a C# source code file and a .NET executable – into the app data directory of the machine.

The C# source code is heavily obfuscated, containing portions of junk code that don't mean anything but allow the LokiBot installer to bypass any security measures on the machine.

Once inside the system, the .NET file reads and complies the C# code, before decrypting it and executing LokiBot itself on the infected machine, This provides the attacker with the backdoor required to steal information, monitor activity, install other malware and carry out other malicious actions.

Despite being five years old, LokiBot remains a prolific malware threat, partially because, early in its life, the underlying code was leaked, giving cyber criminals the opportunity to develop their own versions of the malware. This could then be sold on underground forums 'as-a-service', for low-level hackers to use in their own attacks.

SEE: Malware stew cooked up on Bitbucket, deployed in attacks worldwide

This latest version of LokiBot suggests that the malware will remain a threat for some time to come.

"Consistently among the most active infostealers in the wild, these tweaks to its installation and obfuscation mechanisms indicate that LokiBot is not about to slow down in the near future," Trend Micro researchers wrote in a blog post.

To protect against LokiBot and other malware attacks, it's recommended that users only download software and attachments from trusted sources and that organisations deploy some sort of security solution to ensure that networks can detect potential threats.



Editorial standards