LokiBot, or Loki, is a password stealing malware and was considered the 8th most prevalent malware family in 2021 according to MalwareBazaar. Available for sale on underground forums, its within reach of anyone willing to pay the right price. As far as its use by organized actors, MITRE has linked its usage to the SilverTerrier threat group, known for having financial cybercrime motives.
In this blog post we'll conduct some static and dynamic analysis on a LokiBot sample to extract IOCs and characterize its behavior.
STATIC ANALYSIS WITH PESTUDIO 9.27
Using the latest version of PeStudio, we start to build a picture of what the specimen is capable of. Taking a look at the imports/functions category, we see the following:
Based on the imports, this sample shows potentially:
Anti-debugging capabilities (EmptyClipboard, GetTickCount)
Parsing through files and folders (FindFirstFileA, FindNextFileA, SearchPath, CreateFileA)
Evasive behaviors/artifact destruction (DeleteFile, RemoveDirectory)
File writing (CreateFileA, WriteFile, MoveFile)
Registry interactions (RegCreateKey, RegDeleteKey, RegEnumKey, RegOpenKey, RegSetValue, RegQueryValue)
Looking at the strings tab, we see a lot of the same references to the API calls, especially if sorting for blacklist items to show first:
Outside of those, nothing is proving to be too conclusive here.
I pushed the file over to REMnux to give a stab at it with capa. Capa gave the following output:
In order to analyze further with capa, I'll need to dump the actual malware executable once it starts running during the dynamic analysis stage and rebuild it. I'll have those details after the dynamic analysis section.
Prior to detonating the sample, I had Process Hacker, Process Monitor, and WireShark running to capture any events. I was able to capture the following data:
The memory strings in Process Hacker offered some IOCs. We see a domain (s442136.smrtp[.]ru) as well as some registry interactions.
Process Monitor offered the following:
We see a ton of "CreateFile" operations with browser file paths. It would be easy to be misled by the fact that the operation title is "CreateFile" and believe that the executable is attempting to generate files on the victim system. Reading Microsoft documentation offers some more context:
Not only does this function allow for the creation of files, but also opening them. On the right side of the Process Monitor screenshot we see the value "path not found," meaning that the malware tried to open or access the browser file paths and they did not exist. Being that the malware is a password stealer, it is likely checking these file paths for saved credentials.
Seeing the WireShark output, we see information that corroborates earlier findings:
REBUILDING WITH SCYLLA
So like I mentioned early on, the initial file is an installer and not the actual child process that we've analyzed in the dynamic stage. I'll demonstrate how one could actually get a "tangible" version of the malware that's executing to then analyze it with tools like capa. The tool we'll be using is Scylla, and imports reconstructor developed by NtQuery and available on GitHub.
First, make sure the malware is already running. Next open Scylla x86 and attach it to the active process. Click "IAT autosearch," and then "get imports," followed by "dump." Name it something intuitive, and voila. This will reconstruct the executable.
I pushed this version back over to the REMnux box for analysis, and it worked fine with capa:
We can also feed this new executable back into PEStudio for its new assessment:
An interesting catch that I didn't catch before is the reference in strings to SQLite. A lot of browsers saved passwords in SQLite databases which, if we didn't know what this was ahead of time, we could safely lean towards it being a browser password stealer.
Dropped executable: 71e155ee000c0d1cbba18b92f0d512217afe195ba40f9326c60523cdfd3fa742
LokiBot Malware (CISA)