In addition, it compresses the gathered information later on, before sending it to the C&C server. As stated above, Loki steals and mines passwords in order to do so, it needs to use several file manipulation APIs alongside registry manipulation ones. There are several core mechanisms that are consistent among the multiple samples we have analyzed. In the first part of this article we’ll focus on this sample: 41962130dd73c45846c40bb7ab5dadb44b674c9c8eb11e49dcb5a8cafaa37b15. Our sample was quite different from the one he investigated, nevertheless if you want to deepen your understanding, please take a look at. Doing that, they are able to bypass most AVs and harden the job of the malware analyst.ĭuring our research, we stumbled upon the well detailed investigation of Rob Pantazopoulos, who wrote a great paper on Loki. Most AVs (anti-virus software) identify the malware fairly well, so some authors just add a layer of packing and obfuscation to it. We have seen multiple variants of the malware, including a total re-write of the source code to the. ![]() They could just change the source code to their flavor and adapt it according to the circumstances. Loki’s version-1 source code was leaked around 2015, which made malware author’s lives very easy. For the last two years hackers have been selling the malware including the C&C (command and control) for a low price of around $70, which is considered cheap. In addition, to see the whole picture, Loki also implements a key-logger component that enhances its abilities to steal passwords. Loki has the capabilities of stealing many different types of credentials. Loki-Bot is a password stealer malware, which was seen in the wild most often lately. Loki is still alive and kicking years after its initial outbreak, and that teaches us that attackers still get benefit from it, even though it’s well known to the security community and it’s not an advanced or highly sophisticated threat per se. ![]() We found this interesting since it illustrates that attackers are always interested in your personal data, and especially in your credentials and passwords. Loki has been active for a few years now, and was recently seen by Kaspersky in a new spam campaign targeting corporate mailboxes.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |