Severity

Medium

Analysis Summary

LokiBot – also known as Lokibot, Loki-bot, and Loki PWS – is a banking Trojan malware that is widely known to be an information stealer. The trojan targets browsers, FTP apps, cryptocurrency wallets, and email clients. It has evolved into a real-time key-logging component that steals passwords and captures keystrokes for accounts that aren’t stored in a browser’s internal database. It carries a desktop screenshot utility that captures sensitive documents opened on the victim’s computer. LokiBot is also able to create backdoors into affected systems to allow attackers to install multiple payloads.

LokiBot can be used to target Android and Windows operating systems. ­The Trojan is sold as a malware-as-a-service and distributed by malicious actors via email spam, cracked installers, and infected torrent files. Underground marketplaces like Genesis carry the information stolen through LokiBot.

Impact

• Information threat
• Credential theft
• Exposure of sensitive information

Indicators of Compromise

URL

• http[:]//31[.]210[.]20[.]71/tele/fre[.]php
• http[:]//ospedaliprivatiforli[.]it/prova/panel/five/fre[.]php
• http[:]//forrentinvegas[.]com/cele/five/fre[.]php
• https[:]//ospedaliprivatiforli[.]it/prova/panel/five/fre[.]php
• http[:]//31[.]210[.]20[.]71/teleuser/fre[.]php
• http[:]//issth[.]com/folet/folet/fre[.]php
• http[:]//51[.]195[.]53[.]221/p[.]php/qQDv4aFt6Ob1S
• http[:]//51[.]195[.]53[.]221/p[.]php/JPmHpg6Nc7CUt
• http[:]//51[.]195[.]53[.]221/p[.]php/NsLsWZMAWJWW1
• http[:]//eightelegance[.]com[.]br/eightel/five/fre[.]php

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.