Steganography Technique used by New LokiBot Malware
By Prempal Singh
Lokibot is a malware which steals information by gathering sensitive data and credentials of login from the infected system. The malware is spread either through a malicious link or malicious mail.
An email was detected that contained malicious attachment of LokiBot. The attachment had an Excel worksheet and ‘package.json’ labeled package. By running the excel worksheet, it would execute VBS macro code embedded in the excel sheet.
LokiBot is an information stealer and a variant of Lokibot used steganography to add a layer of obfuscation. The browser information is stolen from different products and checks for remote administration tools like SSH, RDP, and VNC, to find the credentials of the email and transfer files.
Lokibot uses steganography techniques with different unpacking stages to hide the encrypted binary files behind the image until the main code of Lokibot is decrypted in memory. This method not only enables to evade detection but helps the malware to gain persistence on the system which is infected. The encrypted binary files need different unpacking stages, which allows Lokibot to decrypt in the RAM of the infected system.
Lokibot initially installs itself as ‘%Temp%\[filename].exe’ along with an image file name as ‘(%temp%\[filename].jpg)’. The file contains data that the malware referenced in its unpacking routine. After the installation, the malware creates a directory in ‘%appdatalocal%’ where the image file and the binary file of Lokibot is placed. Visual Basic Script (VBS) file is dropped by the malware that runs the Lokibot file. Later, the malware creates an autostart registry that points to the VBS file for the persistence on the compromised system. Then the main code of Lokibot is loaded and executed.
The reason for this variant of Lokibot reliance on steganography is that it adds a layer of obfuscation where the VBS file is used to execute the malware instead of the malware executing itself.
Lokibot uses steganography technique not only to evade detection but also helps in gaining persistence on the infected system by helping the malware.