Detection Content: Finding the Lokibot Trojan

Lokibot is trojan-type malware designed to collect a wide range of sensitive data. It was first noticed in 2015 and remains very popular among cybercriminals as it can be purchased at the underground forum by any attacker. A couple of years ago, “tinkerers” learned how to add C&C infrastructure addresses to the Trojan on their own and started selling the “cracked” version, which led to a surge in attacks using this infostealer. On the one hand, the pirated version cannot maintain persistence, on the other hand, Lokibot is able to steal saved credentials in minutes and it will be hard to attribute such attacks. 

Lokibot is distributed via spam emails and malicious websites. A main feature of the Trojan is to record sensitive data: it gathers saved logins/passwords and continually tracks users’ activity saving the recorded information immediately on a remote server controlled by adversaries. This Trojan is often used during BEC attacks since upon successful infection it almost instantly provides scammers with all the necessary information. Lee Archinal‘s exclusive rule is based on an analysis of the most recently discovered Lokibot samples and can help detect compromised systems on time: https://tdm.socprime.com/tdm/info/T6NDsITcwOfT/n21AqHIBPeJ4_8xce4aS/?p=1

We recommend that you also explore the other rules for detecting this threat available on Threat Detection Marketplace.

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, 

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Command and Control, Defense Evasion

Techniques: Commonly Used Port (T1043), File Deletion (T1107)