Lokibot first emerged as an information stealer and keylogger in hacker forums back in 2015. Since then, it has added many capabilities and features over the years. It has also been observed abusing Windows Installer for its installation, as well as by malspam campaigns that contain malicious ISO files as attachments. Lokibot has also added persistence mechanisms by evading detection and can also use steganography to hide its code. Initially, it also targeted bitcoin wallets but the malware is designed to collect credentials and security tokens from an infected machine running on a Windows Operating System (OS). Opon execution, Lokibot uses hollow process injection to unpack the payload in memory, portraying itself as a legitimate Microsoft Windows application. Lokibot targets multiple applications for stealing information and credentials. It also collects information from Mozilla Firefox, Google Chrome, Thunderbird, FTP and SFTP applications.
The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.
|File Info||Portable Executable 32|
|File Size||273.08 KB (279635 bytes)|
|Virus Total Score||23/73|
|Hybrid Analysis Score||60%|
|File Type||Dynamic Link Library|
|File Info||PE Library|
|File Size||19.00 KB (19000 bytes)|
|Virus Total Score||30/72|
|Hybrid Analysis Score||80%|
As per the detailed analysis of frega.exe, it was observed that frega.exe contains embedded instructions that allow it to initiate connection. It was also observed that when victim opens frega.exe, there were some registry changes observed in parallel. frega.exe was also designed to download the NSIS utility installer file from the particular URL which is windows based whitelisted program used to create Custom installer files.
Upon further analysis, it is found that this frega.exe is possibly a program that may act as a dependency for another main malware. This is hypothesized because the frega.exe is trying to communicate with its C&C server right after its execution and downloads a txt file containing the list of C&C servers. It is also observed that a cmd process starts communicating with Russian C&C server with usage of Rundll32.exe.
Following are the characteristics that have been observed in .img extension file.
Hence the malicious file with the name of frega.exe is completely analyzed statically and based upon the statically analyzed artifacts, it is considered as malicious for windows program.
Following are the dependencies observed in the malware file.
Following is the complete process-working graph for this attack.
Following are the behavior of this malware,
Additionally, it is observed that frega.exe auto-downloads the txt file which contains the list of command and control servers. The above-mentioned Domain is also found in this txt file.
From the txt file containing the list of Command and control servers, there are a number of command and control servers having the same IP subnet as observed in Wireshark.
On observing all the different names, we found Pretor, which is previously passed in the Rundll32.exe parameters. However, as per reviewing the code, it is concluded that all the names used along with Pretor belong to the name of process which rundll32.exe is trying to fetch.
For further overview, the screenshots below represent that Anametphor.dll is dependent on kernelbase.dll.
From the behavioral analysis, it is concluded that the frega.exe is attempting to communicate with different C&C servers using rundll32.exe, passing arguments through cmd.exe process. In our case, cmd.exe was found communicating with 03u.ru server, which is similar to the other Russian C&C servers in the list. Unfortunately, 03u.ru is not live, so frega.exe failed to proceed further.
In order to remediate following points are to be considered:
Beware of social engineering techniques employed by cyber criminals—identify phishing emails, impersonated calls, and fraudulent businesses and domains—and learn how to respond to a suspected compromise.
The above analysis is performed in a controlled environment in Rewterz Threat Intelligence Labs. In case, you have any malware samples, binaries, etc. that need to be analyzed, contact us at email@example.com.