157-Year-Old Lincoln College Succumbed To A Ransomware Attack
By |
157-Year-Old Lincoln College Succumbed To A Ransomware Attack Read More »
Original release date: September 22, 2020
This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise frameworks for all referenced threat actor techniques.
This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions by the Multi-State Information Sharing & Analysis Center (MS-ISAC).
CISA has observed a notable increase in the use of LokiBot malware by malicious cyber actors since July 2020. Throughout this period, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected persistent malicious LokiBot activity. LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.
LokiBot—also known as Lokibot, Loki PWS, and Loki-bot—employs Trojan malware to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials.
Figure 1: MITRE ATT&CK enterprise techniques used by LokiBot
Since LokiBot was first reported in 2015, cyber actors have used it across a range of targeted applications, including the following.
According to MITRE, LokiBot uses the ATT&CK techniques listed in table 1.
Table 1: LokiBot ATT&CK techniques
Technique |
Use |
---|---|
System Network Configuration Discovery [T1016] |
LokiBot has the ability to discover the domain name of the infected host. |
Obfuscated Files or Information [T1027] |
LokiBot has obfuscated strings with base64 encoding. |
Obfuscated Files or Information: Software Packing [T1027.002] |
LokiBot has used several packing methods for obfuscation. |
System Owner/User Discovery [T1033] |
LokiBot has the ability to discover the username on the infected host. |
Exfiltration Over C2 Channel [T1041] |
LokiBot has the ability to initiate contact with command and control to exfiltrate stolen data. |
Process Injection: Process Hollowing [T1055.012] |
LokiBot has used process hollowing to inject into legitimate Windows process vbc.exe. |
Input Capture: Keylogging [T1056.001] |
LokiBot has the ability to capture input on the compromised host via keylogging. |
Application Layer Protocol: Web Protocols [T1071.001] |
LokiBot has used Hypertext Transfer Protocol for command and control. |
System Information Discovery [T1082] |
LokiBot has the ability to discover the computer name and Windows product name/version. |
User Execution: Malicious File [T1204.002] |
LokiBot has been executed through malicious documents contained in spearphishing emails. |
Credentials from Password Stores [T1555] |
LokiBot has stolen credentials from multiple applications and data sources including Windows operating system credentials, email clients, File Transfer Protocol, and Secure File Transfer Protocol clients. |
Credentials from Password Stores: Credentials from Web Browsers [T1555.003] |
LokiBot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and Chromium and Mozilla Firefox-based web browsers. |
Hide Artifacts: Hidden Files and Directories [T1564.001] |
LokiBot has the ability to copy itself to a hidden file and directory. |
CISA developed the following Snort signature for use in detecting network activity associated with LokiBot activity.
CISA and MS-ISAC recommend that federal, state, local, tribal, territorial government, private sector users, and network administrators consider applying the following best practices to strengthen the security posture of their organization’s systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.
For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.
Center for Internet Security Security Event Primer – Malware: https://www.cisecurity.org/white-papers/security-event-primer-malware/
MITRE ATT&CK – LokiBot: https://attack.mitre.org/software/S0447/
MITRE ATT&CK for Enterprise: https://attack.mitre.org/matrices/enterprise/
This product is provided subject to this Notification and this Privacy & Use policy.
157-Year-Old Lincoln College Succumbed To A Ransomware Attack Read More »
AA22-117A: 2021 Top Routinely Exploited Vulnerabilities Read More »
Can Ransomware Spread Through Business WiFi Networks? Read More »
AA22-110A: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure Read More »