Recent investigations have revealed an intriguing twist in the cybersecurity landscape: even hackers can become victims. Security researchers have identified that a significant proportion of LokiBot malware circulating online are altered copies of the original variant. This discovery raises new concerns regarding the integrity of cybersecurity threats and highlights the complexities within the hacker community itself.
LokiBot, which has been operational since 2015, serves as a sophisticated tool for stealing passwords and cryptocurrency wallet information. Capable of extracting credentials from major web browsers along with FTP, email clients, and IT management tools like PuTTY, it remains a potent threat. Initially created by the online identity known as “lokistov,” also referred to as “Carter,” the malware was sold for up to $300 on various underground forums. Subsequently, copycat hackers began to distribute it for as little as $80.
It has been speculated that the source code of LokiBot was leaked, enabling others to compile their own versions of this malware. However, a researcher using the alias “d00rt” has uncovered that the recent hijacked deployments result from minor modifications applied to the original sample, circumventing any need for access to the source code. These changes allow further customization, including the specification of unique domains for the exfiltration of stolen data.
The latest analysis indicates that the command-and-control (C&C) server locations within the malware are stored in five different instances, of which four are encrypted using the Triple DES algorithm, while one employs a basic XOR cipher. A crucial function within the malware, “Decrypt3DESstring,” is responsible for decrypting these encrypted strings to disclose the C&C server URL. Upon examination, the researcher noted that modifications in the function mean it defaults to returning the XOR-protected string instead of the Triple DES-encrypted URLs, a significant deviation that facilitates easy manipulation by any user familiar with basic HEX editing.
The security researcher highlighted that the static 3DES-protected URLs across all modified LokiBot samples remain unused, raising questions about the motivations behind their inclusion. Many versions currently available in underground circles have undergone similar modifications, reinforcing the notion that the malware’s reach is expanding among opportunistic hackers.
Interestingly, the original creator of LokiBot has since released version 2.0, which is now available for purchase on numerous forums. The resilience of the original malware has been undermined, as the patched versions of LokiBot lack the functionality to reinstate themselves after a system reboot, primarily due to the simplification of the decryption process to return solely URLs.
This evolving threat landscape emphasizes the importance of vigilance and proactive measures in cybersecurity protocols. Businesses should remain cognizant of the various strategies employed by cyber adversaries. Utilizing the MITRE ATT&CK framework can provide invaluable insight into possible adversary tactics, including initial access, persistence, and privilege escalation. Understanding these techniques is essential for constructing robust defenses against an increasingly sophisticated array of cyber threats.
For detailed technical insights regarding the alterations in LokiBot, refer to the research paper published on GitHub by the author “d00rt,” which elucidates the intricacies of these hijacked malware samples.
