Researchers at Trend Micro have recently discovered a LokiBot variant disguising itself as the Epic Games Launcher. The variant uses the open source NSIS (Nullsoft Scriptable Install System) to create an installer application with the Epic Games logo to convince victims they were installing the legitimate application from Epic Games. According to Trend Micro, the malicious installer drops a .NET executable file alongside a file with C# source code in the %APPDATA% directory. The .NET executable is a heavily obfuscated binary designed to read, deobfuscate, compile, and launch the C# source file. The last phase of the infection chain is to drop the final LokiBot payload.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is