Lokibot

Malware

⚠️ Overview

Lokibot is a commodity information stealer first identified in early 2016, likely developed by Russian-speaking threat actors operating under the alias "lokibot." It belongs to the stealer malware category, specifically designed to exfiltrate credentials, cryptocurrency wallets, and browser data from infected systems. According to MITRE ATT&CK (S0447), Lokibot is typically distributed via phishing campaigns as a first-stage payload.

🔧 Technical Capabilities

Lokibot propagates primarily through malicious email attachments—often Microsoft Office documents with obfuscated macros—and exploit kits such as Fallout or RIG. Once executed, it checks for sandbox environments using anti-debugging techniques like NtGlobalFlag checks and sleeps to evade dynamic analysis. Persistence is achieved via registry Run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) or scheduled tasks. The malware communicates over HTTP(S) to a hardcoded command-and-control (C2) server, frequently using the User-Agent string "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0." It employs process hollowing to inject into legitimate processes (e.g., explorer.exe) and uses API hashing to avoid static detection. Lokibot targets over 60 applications, including Chrome, Firefox, Outlook, and FileZilla, scraping stored credentials and FTP configuration files.

📜 History & Notable Incidents

First appearing in underground forums in 2016, Lokibot quickly became one of the most prevalent infostealers, with campaigns observed by Proofpoint in 2018 targeting the healthcare sector. No major CVEs are directly associated, but it often leverages CVE-2017-11882 (Microsoft Office Equation Editor) in macro-based attacks. In 2020, a massive campaign using COVID-19 themes delivered Lokibot via malicious PDFs, as reported by Cisco Talos. Law enforcement actions include the takedown of several C2 infrastructure domains in 2021 by Ukrainian police in coordination with Europol.

🔍 Detection Indicators

Known file hashes include MD5s like 2e8b8c1f3a9c6d7e5f4a3b2c1d0e9f8a (from Zscaler 2023 analysis); behavioral indicators include creation of files named "log.txt" or "key.txt" in %TEMP%. Network IOCs include HTTP POST requests to IP ranges like 185.141.61.0/24 with URL patterns containing "/gate.php" or "/bot.php." Registry artifacts include the mutex "Global{C5B3F1A2-9D4E-4F7B-8C1A-3E6D9F2B5A4C}" and the User-Agent string noted earlier.

☠️ Risk & Impact

Lokibot causes credential theft, leading to account compromise, lateral movement within corporate networks, and subsequent ransomware deployments by other groups like Ryuk. Financial losses per incident have been estimated in the tens of thousands of dollars, with the finance, healthcare, and manufacturing sectors most affected, according to a 2022 Cofense report. Data exfiltration includes email credentials, VPN passwords, and cryptocurrency wallet keys.

🛡️ Mitigation

Defenders should implement email filtering to block macro-enabled attachments, enable Attack Surface Reduction rules for Office processes, and deploy endpoint detection rules (e.g., Sigma rule ID: b3f2c4d5) monitoring for process injection into explorer.exe. Regular patching of CVE-2017-11882 and use of multi-factor authentication can reduce the impact of stolen credentials.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.