LokiBot After a Decade: Analysis of a Recent Campaign
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
LokiBot is a long-running infostealer built to collect credentials from browsers, cryptocurrency wallets, and other sensitive applications. This recent campaign relies on a multi-stage execution chain that begins with an obfuscated JScript attachment delivered through malspam. The malware uses process injection and API hashing to reduce visibility while sending stolen data to its command-and-control infrastructure.
Investigation
The investigation examined a multi-stage LokiBot sample and traced its progression from a JScript attachment to a PowerShell loader, then to a .NET injector, and finally to the LokiBot payload. Analysts identified the use of ConfuserEx protection, XOR-based decryption, and reflective loading techniques throughout the chain. The study also described the malware’s custom API hashing approach and a flawed registry-based persistence method.
Mitigation
Organizations should deploy strong email filtering to block malicious JScript attachments and malspam before delivery. Monitoring suspicious child processes spawned by wscript.exe and powershell.exe is also essential. In addition, restricting execution of untrusted .NET assemblies and watching for unusual changes to Windows Run keys can help reduce exposure.
Response
If LokiBot is detected, isolate the affected endpoint immediately to stop further data theft and command-and-control communication. Investigators should perform forensic analysis to determine the original entry point and assess the scope of credential compromise. All accounts accessed from the infected host should undergo a full password reset, and the environment should be scanned for related JScript and PowerShell artifacts.
Attack Flow
Detections
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)
View
LOLBAS WScript / CScript (via process_creation)
View
Suspicious Powershell Strings (via powershell)
View
LokiBot C2 Communication via HTTP Request [Windows Network Connection]
View
Detection of LokiBot Process Injection via aspnet_compiler.exe [Windows Process Creation]
View
Detect LokiBot Execution via Base64 PowerShell Script and .NET Assembly Load [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary has successfully gained initial access via a JScript file. To avoid dropping a detectable
.dllfile to disk, they execute a PowerShell command that contains a Base64-encoded string. This script, once decoded, uses the.NET Reflectioncapability to call[System.Reflection.Assembly]::Loadto pull a malicious payload directly into the current process memory. This “fileless” approach is a hallmark of LokiBot. -
Regression Test Script:
# LokiBot Simulation Script # This script is designed to match the exact strings defined in the detection rule. # 1. Simulate the Base64 component $encodedCommand = "Base64-encoded PowerShell script" $dummyPayload = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("DummyPayload")) # 2. Simulate the Assembly Loading component using the exact string from the detection rule # We use a try/catch because this is a simulation and the "payload" isn't a real assembly. try { Write-Host "Executing encoded stage..." Write-Output $encodedCommand # This line is the primary trigger for the detection rule $trigger = "[System.Reflection.Assembly]::Load" Write-Host "Attempting to load assembly via: $trigger" # We call it via Invoke-Expression to ensure it appears in the ScriptBlockText Invoke-Expression "Write-Host 'Triggering: $trigger'" } catch { Write-Error "Simulation failed to execute the trigger string." } -
Cleanup Commands:
# No permanent changes are made by the simulation script. # Simply clearing the console and ensuring no lingering processes exist. Clear-Host Write-Host "Simulation cleanup complete. No files were dropped."