Malware Analysis Report – Rewterz | LokiBot

Introduction

Lokibot first emerged as an information stealer and keylogger in hacker forums back in 2015. Since then, it has added many capabilities and features over the years. It has also been observed abusing Windows Installer for its installation, as well as by malspam campaigns that contain malicious ISO files as attachments. Lokibot has also added persistence mechanisms by evading detection and can also use steganography to hide its code. Initially, it also targeted bitcoin wallets but the malware is designed to collect credentials and security tokens from an infected machine running on a Windows Operating System (OS).  Opon execution, Lokibot uses hollow process injection to unpack the payload in memory, portraying itself as a legitimate Microsoft Windows application. Lokibot targets multiple applications for stealing information and credentials. It also collects information from Mozilla Firefox, Google Chrome, Thunderbird, FTP and SFTP applications.  

MITRE ATT&CK Table

The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.

Analysis Report of LokiBot

File Identity:

Summary of Analysis:

As per the detailed analysis of frega.exe, it was observed that frega.exe contains embedded instructions that allow it to initiate connection. It was also observed that when victim opens frega.exe, there were some registry changes observed in parallel. frega.exe was also designed to download the NSIS utility installer file from the particular URL which is windows based whitelisted program used to create Custom installer files.

Upon further analysis, it is found that this frega.exe is possibly a program that may act as a dependency for another main malware. This is hypothesized because the frega.exe is trying to communicate with its C&C server right after its execution and downloads a txt file containing the list of C&C servers. It is also observed that a cmd process starts communicating with Russian C&C server with usage of Rundll32.exe.

Characteristics:

Following are the characteristics that have been observed in .img extension file.

• When victim opens the IMG file, it was observed that the img file contains another file named as ‘frega.exe’.

• On further static analysis, it has been found that frega.exe contains malicious signatures, some of which are defined below:
  
• After reviewing the assembly, certain URL was found “http://nsis.sf.net/” on which frega .exe will try to communicate after its execution. It was observed on the starting point of the program stored in address of 0040A060.

• On moving further, the observed URL was found to pertain with the “Null-soft scriptable install system” which is a software based program used to create the custom installer files, and it is not the native utility of windows itself. This means “frega.exe” is designed to communicate with NSIS URL in order to download this program. Screenshot is also shared below in which the hex dump address is declared for NSIS.

• It is also observed from the hex dump memory that the file frega.exe was found calling “nsis.exe”, as can be observed in the below screenshot:

•  After reviewing the XML code the request for the execution was found as “asInvoker” which means that the file is trying to execute itself on the privileges of the current user.

• The address where registry keys are added was observed in the raw strings catered from the HEX memory and the address is “Software\Microsoft\Windows\CurrentVersion”. This directory is mostly used by the attackers to create the persistence of their own malicious programs.

Hence the malicious file with the name of frega.exe is completely analyzed statically and based upon the statically analyzed artifacts, it is considered as malicious for windows program.

Dependencies:

Following are the dependencies observed in the malware file.

1. It was observed that this malware needs another windows whitelisted software, used for creation of custom installer, which is “NSIS”.
2. This Malware cannot work properly without the usage of AnaMetaphor.dll.
3. This malware is designed to establish C&C connection automatically once the infection occurs.
4. This malware was designed and is compatible for the windows environment.

Following is the complete process-working graph for this attack.

Behavioral Findings through Analysis:

Following are the behavior of this malware,

• When we execute frega.exe we found that it is trying to create http connection on the URL of “http://egamcorps.ga/~zadmin/lmark/frega/mode.php” which seems like the C&C for this file.

Additionally, it is observed that frega.exe auto-downloads the txt file which contains the list of command and control servers. The above-mentioned Domain is also found in this txt file.

From the txt file containing the list of Command and control servers, there are a number of command and control servers having the same IP subnet as observed in Wireshark.

• In the background, This malicious file was found communicating on the IP address of “80.249.144.102” which is also malicious.

• Further analysis confirmed that the URL on which the subjected malware was trying to communicate was also found to be malicious on different Threat Intel Forums.

• On further behavioral observation it is also found that this file is also changing registry entries on different addresses, as shown in the diagram below:

• Upon execution of frega.exe, it invokes rundll32.exe with the following parameters:
  1. AnaMetaphor
  1. Pretor

• Upon investigation, we found AnaMetaphor.dll in %Temp% directory. This is the most common technique used in malwares to create files in temp directories to evade detection.

• After disassembling Anametaphor.dll, we found that it was searching for different processes names which are found to be called with lpProcName variable, which belongs to the function of GetprocAddress used to search existing processes as shown in the diagram below:

On observing all the different names, we found Pretor, which is previously passed in the Rundll32.exe parameters. However, as per reviewing the code, it is concluded that all the names used along with Pretor belong to the name of process which rundll32.exe is trying to fetch.

• After Drilling into the processthreadapi.h functions we have found two custom functions designed to run under the legitimate windows function “CreateProcessA” and those functions are “CreatePrcessInernalA” & “CreateProcessInternalW” which is designed to hook the kernelbase.dll function” CreateProcessA”.

For further overview, the screenshots below represent that Anametphor.dll is dependent on kernelbase.dll.

• Moving forwards, we can also see that Rundll32.exe creates a child process of cmd.exe in the below figure:

• After observing the CMD.exe process, we found it communicating with a new Russian C&C server, mentioned in command and control server txt file.

From the behavioral analysis, it is concluded that the frega.exe is attempting to communicate with different C&C servers using rundll32.exe, passing arguments through cmd.exe process. In our case, cmd.exe was found communicating with 03u.ru server, which is similar to the other Russian C&C servers in the list. Unfortunately, 03u.ru is not live, so frega.exe failed to proceed further.

Remediation:

In order to remediate following points are to be considered:

1. Block subjected URL “http://egamcorps.ga/~zadmin/lmark/frega/mode.php” & “03u.ru” along with the IP “80.249.144.102” and “84.38.183.246”.
2. Kill the cmd.exe process, which initiates the communication to another C&C server, and the parent process of frega.exe.
3. Search for the registry changes relevant to frega.exe addresses that are defined.
4. Closely monitor frega.exe process for any suspicious activities.
5. Closely monitor URL having abnormal URI string & abnormal length.
6. Block hashes associated with this malware on EDR and endpoint controls.
7. Delete unnecessary Appdata & temp entries.

Beware of social engineering techniques employed by cyber criminals—identify phishing emails, impersonated calls, and fraudulent businesses and domains—and learn how to respond to a suspected compromise.

The above analysis is performed in a controlled environment in Rewterz Threat Intelligence Labs. In case, you have any malware samples, binaries, etc. that need to be analyzed, contact us at info@rewterz.com.