LokiBot Impersonating Epic Games Launcher - Binary Defense

Threat Watch

Share on facebook
Share on twitter
Share on linkedin

LokiBot Impersonating Epic Games Launcher

Researchers at Trend Micro have recently discovered a LokiBot variant disguising itself as the Epic Games Launcher. The variant uses the open source NSIS (Nullsoft Scriptable Install System) to create an installer application with the Epic Games logo to convince victims they were installing the legitimate application from Epic Games. According to Trend Micro, the malicious installer drops a .NET executable file alongside a file with C# source code in the %APPDATA% directory. The .NET executable is a heavily obfuscated binary designed to read, deobfuscate, compile, and launch the C# source file. The last phase of the infection chain is to drop the final LokiBot payload.

ANALYST NOTES

LokiBot is typically delivered through spam messages, however, Epic Games will never email their user base with any kind of executable file. When in doubt, always go to the official website to download software. Source: https://blog.trendmicro.com/trendlabs-security-intelligence/lokibot-impersonates-popular-game-launcher-and-drops-compiled-c-code-file/

Contact Support

Please complete the form below and a member of our support team will respond as quickly as possible.