Detection Content: LokiBot Detector

In today’s post, we want to remind our readers about LokiBot infostealer that provides backdoors to the victim Windows OS and enables fraudsters to steal sensitive data and even bring in place different payloads. LokiBot infostealer comes to the victims via malspam campaigns often masquerading as a trusted sender, containing an attached document luring the receiver to immediately open it. Being distributed in phishing campaigns worldwide, LokiBot became even more virulent during the pandemic, as it was observed in the recent campaign when the emails addressed the information referring to the update from WHO with their trademark to be akin to a legitimate sender.

Once LokiBot is successfully delivered to the victim machine, it starts harvesting and sending as much sensitive information as it may get including passwords stored in browsers, email passwords, and FTP credentials.

LokiBot Detector (Windows10) (Sysmon Behavior) Sigma rule by Lee Archinal helps to detect the presence of the infostealer 

https://tdm.socprime.com/tdm/info/R26MTl0rrjvg/uwDm3HMBSh4W_EKGmAKw/?p=1

The rule has translations for the following platforms:

SIEM: ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, CrowdStrike, Elastic Endpoint

MITRE ATT&CK:

Tactics: Execution, Defense Evasion, Persistence, Privilege Escalation

Techniques: Rundll32 (T1085), Scheduled Task (T1053)

Read more about Covid19-related malware activities and SOC Prime recommendations here.

Ready to try out SOC Prime TDM? Sign up for free.

Or join Threat Bounty Program to craft your own content, share it with the TDM community, and earn on it!