LokiBot uses Steganography to Hide Code

Delaware, USA – August 8, 2019 – This is not the first attempt by LokiBot authors to use the steganography that APT groups periodically use to deliver malware. Previously, attackers added an archived malware to a PNG file, from where it was run using wscript. In a recent campaign discovered by Trend Micro researchers, LokiBot was delivered using a malicious Word file with embedded Excel worksheet and a package labeled ‘package.json’. Worksheet contained a VBS macro that runs a PowerShell script to connect to the command-and-control server and install malware as executable and JPG file with LokiBot source code. The code is hidden in an image file, and the malware loader searches for particular markers within the JPG file and extracts content using its own method of decryption. After the operation is completed, LokiBot is loaded in memory and is ready to collect credentials. In the new version of the malware, steganography is used as another level of code obfuscation and protection against detection. The functionality of the infostealer has not changed, it steals browser information, passwords for remote administration tools, and credentials for email and file transfer clients.

To convince a user to open a malicious attachment, attackers send emails spoofing corporate mailboxes to existing organizations. The goals of the recent campaign were at least 56 organizations. LokiBot authors regularly experiment in finding the best ways to deliver their infostealer, in the previous campaign, the malware was spread using ISO images, which anti-virus solutions do not scan very carefully.

Content available on Threat Detection Marketplace to detect the malware:
Lokibot Malware Detector (Sysmon Behavior) (July 2019) – https://tdm.socprime.com/tdm/info/2337/
Lokibot Malware Detector (Sysmon Behavior) – https://tdm.socprime.com/tdm/info/2258/
LokiBot Trojan Detector (Sysmon) – https://tdm.socprime.com/tdm/info/1139/
Execution wscript.exe – https://tdm.socprime.com/tdm/info/1087/
WScript or CScript Dropper – https://tdm.socprime.com/tdm/info/1207/