LokiBot

LokiBot is a spyware program that can collect passwords, logins, and other information from your computer. LokiBot campaigns use spam e-mails for their infection vectors frequently and don't create visually detectable symptoms while they're collecting and transferring data. Let your anti-malware products detect and uninstall LokiBot automatically, and take appropriate precautions afterward for re-securing any vulnerable accounts.

Trickster-Gods in Your Inbox

LokiBot campaigns, while not the largest in quantity in the threatening software industry necessarily, are highly regular incidents, with new attack attempts arriving each day. This spyware product is available on the dark Web for rental to third parties, enabling criminals to collect information while needing no coding experience. It includes a wide array of data-exfiltrating features that would be useful against various targets, including both website administrators, business or government networks or recreational-purpose Windows systems.

Different versions of LokiBot, which takes its name from the Norse trickster deity of Loki, sometimes install themselves through various methods, although malware experts trace all of them to spam e-mail attachments. A general overview of the LokiBot's core features for collecting data include, but aren't limited to, all of the following:

• LokiBot accesses the Windows Credentials Manager for compromising other PCs on the same network by harvesting the associated usernames and passwords.
• LokiBot uses specialized functions for harvesting data from other applications, including most brands of Web browsers, many FTP clients, and different cryptocurrency wallets.
• LokiBot also contains a keylogger function for capturing the user's keyboard input, which covers the typed information that isn't necessarily already captured from the previous applications.

Unlike some spyware types, LokiBot isn't a one-time-use application. It registers a Mutex and auto-launches its executable from the AppData folder whenever a user logs in to Windows, which lets it continue harvesting confidential information and uploading it to the threat actor's recipient server.

Keeping Ancient Myths from Snatching Your Data

Spam e-mails and accompanying attachments and Web links are traditional infection vectors for different threats besides spyware, including backdoor Trojans and file-locker Trojans like Hidden Tear. Malware analysts are seeing few similarities between the tactics and disguises that LokiBot's campaigns use, which is, likely, due to different threat actors involving themselves in the deployment processes. However, all variants, so far, include either Word macro-based installation exploits or attach the executable after compressing it in an archive, such as a ZIP file directly.

The users can hamper the LokiBot's capability for uploading the collected data by implementing firewall rules that block its known C&C domains, such as festy18.info. Without appropriate network-traffic restrictions, the spyware may compromise a range of targets, including Bitcoin wallets, FTP accounts, credit cards, and even other systems sharing the same network. As usual, malware experts rate the threat as being specific to Windows, and OS-specific anti-malware protection should be available for deleting LokiBot before it attacks.

The average LokiBot installer's exploit can use advanced, document-based content or fake extensions on executables for tricking the users into compromising their PCs. The identity of any download is always only as trustworthy as its source, and forgetting that can bring a cascading series of issues involving all of your information virtually.

Technical Details