A new wave of attacks using Loki Infostealer

Delaware, USA – December 26, 2017 – Several campaigns spreading Loki Infostealer were detected in December. Campaigns differ in both distribution methods and malware modifications. Trojan Loki is a modular malware, anyone can buy it on Darknet forums and its functionality varies depending on the modification. In addition, hackers do not hesitate to crack this trojan and use it in their campaigns. Researchers from Trend Micro spot a campaign using CVE-2017-11882 vulnerability to infect victims’ systems with a cracked Loki infostealer. This campaign targets the United States, France, Incyber attacking and some other countries. Attackers use stolen credentials to continue the virus spreading. Researchers from Lastline Labs uncovered another cyberattack that distributed Loki via MS Office documents with malicious scriptlets. Abusing scriptlets to deliver malicious payload is a new trend appeared in November that allows malware to avoid detection by antivirus solutions.

In the report published by Lastline Labs, this Loki strain stayed undetected for 12 days from the moment of infection and it communicated with C&C server several times during this period. You can detect such malware and its activities timely using SIEM and APT Framework package from Use Case cloud, which notifies administrators of any suspicious patterns discovered on the corporate network.