# LOKIBOT - A commodity malware

**reversing.fun/posts/2021/06/08/lokibot.html**

.. June 8, 2021

Jun 8, 2021

Lokibot it’s not new but it’s a common malware to see these days since it’s sold on
underground websites, thus it’s available to the average cyber-criminal. This malware is
designed to steal information from infected machines and send it to a command and control
server using HTTP POST requests.

Besides stealing data, it can set up persistence, receive tasks from the C2 server, and it can
be used to download more malware.

Lokibot has been around for a few years now, but the statistics show that is still very
[common to see Lokibot being used. The stats provided by Any Run show that this family is](https://any.run/malware-trends/)
within the top 3 of the Global rank and the top 10 of both the Week and Month ranks.

The stats from [MalwareBazaar put this family within the top 10 of all time of the most seen](https://bazaar.abuse.ch/)
malware families.


-----

[Tria.ge stats place Lokibot in the top 5 of submissions.](https://tria.ge/)


-----

Given the popularity of this malware and my curiosity, I decided to take a look at a sample
and see how it works.

[The sample I used in this analysis can be found here.](https://bazaar.abuse.ch/sample/3deeb55fefe05f51c41b1724780e5de1e33a432e01f455e3ab5d2af5ca655464/)

## Static reverse engineering

Lokibot resolves most of the needed APIs during the execution. To avoid hardcoding the
original API names, the malware uses hashes of the API names whenever it needs to
resolve them


-----

The first step to moving forward with the reverse engineering of this sample I had to
understand how Lokibot resolves the APIs and how the algorithm that computes the hashes
works.

### Resolving the necessary APIs

To resolve a Windows API, Lokibot calls an auxiliary function that receives an index value
and a hash of the API name as arguments.

The indexes are used to get the DLL name from an in-memory array containing the DLL
names.

**Index** **DLL**

0 kernel32.dll

1 ntdll.dll

2 shlwapi.dll

3 crypt32.dll

4 wininet.dll

5 urlmon.dll

6 netapi32.dll

7 ws2_32.dll

8 user32.dll

9 advapi32.dll

10 shell32.dll

11 gdiplus.dll

12 gdi32.dll

13 ole32.dll


-----

**Index** **DLL**

14 gdi32.dll

To get the final addresses Lokibot loads and parses the export table from the DLLs.

For each API in the export table, Lokibot computes a hash of its name and compares it with
the hash passed to the function as an argument.

### API string hashing algorithm

Pseudo code of the hashing algorithm used by this Lokibot sample:


-----

Using my own implementation of this algorithm in python I was able to build a list containing
the Windows API names alongside their hashes.

In **[this gist, you can find the full list containing the API names and the hashes.](https://gist.github.com/ilbaroni/fbb33cb0b821d408ddb8eea25960f649)**

### Command line argument check

Before starting any actions the malware checks if there is a `-u switch in the arguments of`
the process and if it finds it the execution is delayed for 10 seconds.

This switch is used when Lokibot upgrades itself.

### Network initialization and mutex creation

Lokibot uses Berkeley compatible sockets for communications and because of that, it needs
to call WSAStartup() before using any other networking functions.

If the call succeeds the malware tries to create a mutex based on the MD5 hash of the
machine GUID (trimmed to 24 chars).


-----

Mutexes are used to guarantee that there is only one instance of a program running on a
system.

### Stealing the data

Lokibot calls a function that will build two large arrays in the stack.

The first array will contain the identifiers of the functions, and the second array the actual
routines that steal data.

After building the two arrays, the functions that steal data are executed using a wrapper
function.


-----

This wrapper function sets a global variable with the identifier of the steal function and
executes it.

This way, Lokibot can keep a reference between the stolen data and the function that stole it
in the reported data. This way, when parsing the stolen data the C2 server will know how to
process/store it.

List of all the targeted applications and files:


-----

```
firefox browser
icedragon browser
safari browser
k-meleon browser 
seamonkey browser
flock browser 
blackhawk browser 
lunascape browser 
browsers general data
opera browser 
qtweb internet browser 
qupzilla browser 
internet explorer 
opera passwords
cyberfox browser 
pale moon browser 
waterfox browser 
pidgin passwords
superputty 
ftpshell 
notepadplusplus 
myftp 
ftpbox 
sherrod ftp 
ftpnow 
nexusfile ftp 
netsarang xftp 
easyftp 
sftpnetdrive 
ableftp 
jasftp 
automize 
ableftp
cyberduck 
fullsync 
ftpinfo 
linasftp 
filezilla 
staff ftp 
blazeftp 
fastream ftp 
goftp 
estsoft alftp 
deluxe ftp 
ghisler wcx ftp 
ftpgetter 
ws ftp 
site xml files
full tilt poker 
pokerstars 
expandrive 
steed 
flash fxp 
insoftware novaftp 
netdrive 

```

-----

```
ghisler wcx ftp 
smart ftp 
far manager ftp 
bitvise bvsshclient 
vnc 
msecure 
syncovery 
freshwebmaster freshftp 
bitkinex 
ultrafxp 
ftp now 
securefx 
odin secure ftp expert 
nch software fling 
nch software classicftp 
kitty
putty 
mozilla thunderbird 
foxmail 
pocomail 
incredimail 
gmail notifier pro
desksoft checkmail 
winftp client 
winscp 
32bitftp 
ftp navigator 
softwarenetz mailing 
operamail 
postbox 
mozilla fossamail 
mailbox ini file 
winchips user account 
outlook 
ymail2 
trojita imap client 
trulymail 
spn files
to dodesklist 
stickies images and rtf
notefly notes 
conceptworld notezilla 
microsoft sticky notes 
keepass databases
enpass db files
my roboform 
1password 
mikrotik winbox

```
After getting all the data and save it in a memory buffer, Lokibot will prepare the data and
report it back to the C2 server. The configured C2 server is encrypted using Triple-DES and
gets decrypted on runtime.


-----

The malware grabs information about the local system and builds a report packet. This
packet will have the system information, stolen data, and some other flags and data.

Summary of the system information that is collected to build the report packet:

Operating system
Username
Hostname
Domain name
Screen resolution
Privilege level
System architecture

An interesting bit of information on the Lokibot communications is the user-agent.

A simple google search shows nothing but only references to this malware.


-----

### Stealing data from the Windows Credential Manager

After stealing the data from the targeted applications, Lokibot will try to steal data from the
Windows Credential Manager.


-----

To steal those credentials, Lokibot will search any files within the following directories:
```
   %APPDATA%\Microsoft\Credentials
   %LOCALAPPDATA%\Microsoft\Credentials .

```
To decrypt the passwords, Lokibot tries to inject code into the Local Security Authority
Subsystem Service process (lsass.exe). The injection will occur only if:

The operating system is x86.
The operating system is x64 and the process is not running under Windows on
Windows subsystem (WoW64).


-----

A fun fact about the x86 injection function is that the author forgot to create a remote threat
after writing the shellcode into the Lsass process, meaning that the shellcode is written but
never executed. ¯\(ツ)/¯

After stealing this data, Lokibot builds a new report packet and reports it back to the C2
server.

### Persistence

For persistence, Lokibot copies itself to a folder inside the `%APPDATA% folder, creates a new`
run key, and hides both the created directory and the copied executable.

Creating the directory and copying the original executable:


-----

Creating a run key and hiding both the folder and the executable:


-----

This way whenever the system is started the hidden executable will be executed.

### C2 tasks

After stealing the data, Lokibot is also able to fetch tasks from the C2 server.

Summary of the possible Lokibot tasks:

Download EXE and Execute
Download DLL and Load
Delete HDB file
Start keylogger
Steal data
Exit Lokibot
Upgrade Lokibot
Change C2 beaconing (polling tasks)
Delete executables

Here is a snippet of a function that will download additional executables and execute them:


-----

## Possible detections

Lokibot creates a hidden folder within the `%APPDATA% directory. The directory name will be`
a slice of the mutex name (8th char - 13th char).

For example: `%APPDATA%\C98066\ .`

In the hidden directory, Lokibot creates four files at any given time with the following
extensions:

.exe
.lck
.hdb
.kdb

The file names will also be a slice of the mutex name (13th char - 18th char) followed by the
extension.

The user-agent used by Lokibot is also very uncommon which can be used to build simple
detections.
```
Mozilla/4.08 (Charon; Inferno)

```
List of existing Suricata rules:


-----

**Rule IDRule ID** **Rule NameRule Name**

2024311 ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected

2024312 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1

2024313 ET TROJAN Loki Bot Request for C2 Commands Detected M1

2024314 ET TROJAN Loki Bot File Exfiltration Detected

2024315 ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1

2024316 ET TROJAN Loki Bot Screenshot Exfiltration Detected

2024317 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2

2024318 ET TROJAN Loki Bot Request for C2 Commands Detected M2

2024319 ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2

## References


-----