Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


CISA Warns of Uptick in LokiBot Stealer

The United States Cybersecurity and Infrastructure Security Agency (CISA) released a warning that the LokiBot information-stealing trojan has seen a resurgence in activity starting in July 2020. LokiBot targets Android and Windows endpoints and mainly spreads through email, but can also spread through malicious websites, texts, and other forms of messaging. Through the use of a keylogger to monitor browser and desktop activity, the malware aims to steal personal information and credentials from the victim. LokiBot can also act as a backdoor for the threat actors to gain access to infected systems and use different payloads. The trojan has been adjusted multiple times and uses different disguises as a way to avoid detection, including steganography for maximum obfuscation. The malware has also been used to target a vast number of applications, most of the attacks being successful, which makes LokiBot all the more dangerous.

Analyst Notes

LokiBot can be seen on many different marketplaces being sold for around $300. Because the price is so cheap, it makes it a common tool to be used by many different threat actors. To defend against LokiBot, all patches should be up to date, incoming email should be scanned for security risks such as attachments and links, and endpoints should be monitored for unusual or suspicious processes starting as a result of running files from email attachments. Defenders should also enforce Multi-factor Authentication and strong passwords to reduce the risk of logins being successful once credentials are stolen. Education is a crucial role in entities of all sizes. Teaching employees how to spot threats helps stop them altogether. Disabling file and printer sharing services on workstations will also help defend against attackers using LokiBot if the services are not needed within an organization. It is a best practice to host file and printer shares only from servers, and not allow workstation-to-workstation direct communication.

More can be read: