CINXE.COM

A Deep Dive into Lokibot Infection Chain

<!doctype html> <html lang="en"> <head> <title>A Deep Dive into Lokibot Infection Chain</title> <!-- Required meta tags --> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <!-- Bootstrap CSS --> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/bootstrap.min.css?v=bd37905eab"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/navigation.css?v=bd37905eab"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/footer.css?v=bd37905eab"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/pagination.css?v=bd37905eab"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/banners.css?v=bd37905eab"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/style.css?v=bd37905eab"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/prism.css?v=bd37905eab"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/prism-vsc-dark-plus.css?v=bd37905eab"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/prism-talos.css?v=bd37905eab"> <link rel="stylesheet" href="https://blog.talosintelligence.com/assets/css/landing-page.css?v=bd37905eab"> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Roboto:ital,wght@0,100;0,300;0,400;0,500;1,100;1,300;1,400&display=swap" rel="stylesheet"> <link href="https://fonts.googleapis.com/css2?family=Fira+Mono:wght@400;500&family=Roboto:ital,wght@0,100;0,300;0,400;0,500;1,100;1,300;1,400&display=swap" rel="stylesheet"> <link href="https://cdn.jsdelivr.net/npm/ghost-theme-utils@latest/dist/css/style.min.css" rel="stylesheet"> <link rel="icon" href="https://blog.talosintelligence.com/content/images/size/w256h256/2022/07/talos_o_square.png" type="image/png"> <link rel="canonical" href="https://blog.talosintelligence.com/a-deep-dive-into-lokibot-infection-chain/"> <meta name="referrer" content="no-referrer-when-downgrade"> <meta property="og:site_name" content="Cisco Talos Blog"> <meta property="og:type" content="article"> <meta property="og:title" content="A Deep Dive into Lokibot Infection Chain"> <meta property="og:description" content="Lokibot is one of the most well-known information stealers on the malware landscape. In this post, we&#x27;ll provide a technical breakdown of one of the latest Lokibot campaigns. Talos also has a new script to unpack the dropper&#x27;s third stage. The actors behind Lokibot usually have the ability to steal"> <meta property="og:url" content="https://blog.talosintelligence.com/a-deep-dive-into-lokibot-infection-chain/"> <meta property="og:image" content="https://blog.talosintelligence.com/content/images/-UtUpKsCXAAs/X_XGdUOX_MI/AAAAAAAAB28/uCJ594MhrVgoaKED-o31JSCYxuidI01uACLcBGAsYHQ/w1200-h630-p-k-no-nu/image1.png"> <meta property="article:published_time" content="2021-01-06T14:00:00.000Z"> <meta property="article:modified_time" content="2023-10-31T17:08:34.000Z"> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:title" content="A Deep Dive into Lokibot Infection Chain"> <meta name="twitter:description" content="Lokibot is one of the most well-known information stealers on the malware landscape. In this post, we&#x27;ll provide a technical breakdown of one of the latest Lokibot campaigns. Talos also has a new script to unpack the dropper&#x27;s third stage. The actors behind Lokibot usually have the ability to steal"> <meta name="twitter:url" content="https://blog.talosintelligence.com/a-deep-dive-into-lokibot-infection-chain/"> <meta name="twitter:image" content="https://blog.talosintelligence.com/content/images/size/w1200/2023/10/threat-spotlight-1.jpg"> <meta name="twitter:label1" content="Written by"> <meta name="twitter:data1" content="Muhammad Irshad"> <meta name="twitter:site" content="@TalosSecurity"> <meta property="og:image:width" content="1001"> <meta property="og:image:height" content="501"> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "Article", "publisher": { "@type": "Organization", "name": "Cisco Talos Blog", "url": "https://blog.talosintelligence.com/", "logo": { "@type": "ImageObject", "url": "https://blog.talosintelligence.com/content/images/2022/11/TalosBrand_ukraine.svg" } }, "author": { "@type": "Person", "name": "Muhammad Irshad", "url": "https://blog.talosintelligence.com/author/muhammad/", "sameAs": [] }, "headline": "A Deep Dive into Lokibot Infection Chain", "url": "https://blog.talosintelligence.com/a-deep-dive-into-lokibot-infection-chain/", "datePublished": "2021-01-06T14:00:00.000Z", "dateModified": "2023-10-31T17:08:34.000Z", "image": { "@type": "ImageObject", "url": "https://blog.talosintelligence.com/content/images/size/w1200/2023/10/threat-spotlight-1.jpg", "width": 1200, "height": 600 }, "description": "\n\n\nLokibot is one of the most well-known information stealers on the malware landscape. In this post, we&#x27;ll provide a technical breakdown of one of the latest Lokibot campaigns. Talos also has a new script to unpack the dropper&#x27;s third stage. The actors behind Lokibot usually have the ability to steal multiple types of credentials and other sensitive information. This new\ncampaign utilizes a complex, multi-stage, multi-layered dropper to execute Lokibot on the victim machine.\n\nWhat&#x27;s new?\n\nThis ", "mainEntityOfPage": "https://blog.talosintelligence.com/a-deep-dive-into-lokibot-infection-chain/" } </script> <meta name="generator" content="Ghost 5.101"> <link rel="alternate" type="application/rss+xml" title="Cisco Talos Blog" href="https://blog.talosintelligence.com/rss/"> <script defer src="https://cdn.jsdelivr.net/ghost/sodo-search@~1.5/umd/sodo-search.min.js" data-key="4ffb0139d74ada998f4b141e4d" data-styles="https://cdn.jsdelivr.net/ghost/sodo-search@~1.5/umd/main.css" data-sodo-search="https://cisco-talos-blog.ghost.io/" data-locale="en" crossorigin="anonymous"></script> <link href="https://blog.talosintelligence.com/webmentions/receive/" rel="webmention"> <script defer src="/public/cards.min.js?v=bd37905eab"></script><style>:root {--ghost-accent-color: #006db6;}</style> <link rel="stylesheet" type="text/css" href="/public/cards.min.css?v=bd37905eab"> <style type='text/css'> img[src*="icon_check_white.svg"] { width: 20px; margin-left: 0px; margin-right: auto; } #ghost-portal-root { display: none; } </style> <!-- Google tag (gtag.js) --> <script async src="https://www.googletagmanager.com/gtag/js?id=G-F45RVJG3BK"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-F45RVJG3BK'); </script> </head> <body class="post-template"> <div id="mobile-page-header" class="desktop-hide"> <h1>Cisco Talos Blog</h1> </div> <nav id="nav"> <input id="nav-trigger" class="nav-trigger" type="checkbox"/> <label for="nav-trigger"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="22px" height="16px" viewBox="0 0 22 16"> <g id="menu-icon"> <path fill="#FFFFFF" d="M20.5,3h-19C0.672,3,0,2.329,0,1.5S0.672,0,1.5,0h19C21.328,0,22,0.671,22,1.5S21.328,3,20.5,3z"></path> <path fill="#FFFFFF" d="M20.5,9.5h-19C0.672,9.5,0,8.828,0,8c0-0.829,0.672-1.5,1.5-1.5h19C21.328,6.5,22,7.171,22,8 C22,8.828,21.328,9.5,20.5,9.5z"></path> <path fill="#FFFFFF" d="M20.5,16h-19C0.672,16,0,15.328,0,14.5S0.672,13,1.5,13h19c0.828,0,1.5,0.672,1.5,1.5S21.328,16,20.5,16z"></path> </g> </svg> </label> <div id="top-nav-bar"> </div> <div id="navigation"> <div class="navigation-logos-wrapper"> <div id="talos-logo-wrapper"> <a class="navbar-brand" href="https://talosintelligence.com"> </a> </div> </div> <div class="navigation-links-wrapper"> <ul class="main-nav-list"> <li class="nav-item"> <div class="primary-link-wrapper"> <a class="primary_nav_link" href="https://talosintelligence.com/reputation"> <div class="mobile-nav-icon"><!-- Generator: Adobe Illustrator 24.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) --><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" height="20px" width="20px" style="enable-background:new 0 0 20 20;" xml:space="preserve"> <style type="text/css"> .white{fill:#FFFFFF;} </style> <g> <path class="white" d="M19.5,9.5h-1.1c-0.3-4.2-3.6-7.6-7.8-7.8V0.5C10.5,0.2,10.3,0,10,0l0,0C9.7,0,9.5,0.2,9.5,0.5l0,0v1.1 C5.3,1.9,1.9,5.3,1.6,9.5H0.5C0.2,9.5,0,9.7,0,10s0.2,0.5,0.5,0.5l0,0h1.1c0.3,4.2,3.6,7.6,7.8,7.8v1.1c0,0.3,0.2,0.5,0.5,0.5l0,0 c0.3,0,0.5-0.2,0.5-0.5l0,0v-1.1c4.2-0.3,7.6-3.6,7.8-7.8h1.1c0.3,0,0.5-0.2,0.5-0.5C20,9.7,19.8,9.5,19.5,9.5 M16.6,10.5h0.7 c-0.3,3.6-3.2,6.5-6.8,6.8v-0.8c0-0.3-0.2-0.5-0.5-0.5l0,0c-0.3,0-0.5,0.2-0.5,0.5v0.8C5.8,17,3,14.2,2.7,10.5h0.8 C3.8,10.5,4,10.3,4,10S3.8,9.5,3.5,9.5l0,0H2.7C3,5.8,5.8,3,9.5,2.7v0.8C9.5,3.7,9.7,4,10,4l0,0c0.3,0,0.5-0.2,0.5-0.5V2.7 C14.2,3,17,5.8,17.3,9.5h-0.7c-0.3,0-0.5,0.2-0.5,0.5C16.1,10.3,16.3,10.5,16.6,10.5L16.6,10.5"></path> <circle class="white" cx="10" cy="10" r="3.2"></circle> </g> </svg> </div> <span class="top-nav-link-text"> Intelligence Center </span> </a> </div> <input class="sub-nav-trigger" id="intelligence-sub-trigger" type="checkbox"> <label class="sub-nav-trigger-label" for="intelligence-sub-trigger"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75"> <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle> <g> <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle> </g> </svg> </label> <ul class="sub-nav sub-nav-single-list"> <li class="desktop-hide"> <a class="mobile_nav_link" href="https://talosintelligence.com/reputation"><h1>Intelligence Center</h1> </a></li> <li class="desktop-hide"> <label class="subnav-back-button" for="intelligence-sub-trigger">BACK</label> </li> <li><a class="secondary_nav_link" href="https://talosintelligence.com/reputation_center">Intelligence Search</a></li> <li><a class="secondary_nav_link" href="https://talosintelligence.com/reputation_center/email_rep">Email &amp; Spam Trends</a></li> </ul> <div class="desktop-hide subnav-overlay"><!-- Generator: Adobe Illustrator 24.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) --><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" height="20px" width="20px" style="enable-background:new 0 0 20 20;" xml:space="preserve"> <style type="text/css"> .white{fill:#FFFFFF;} </style> <g> <path class="white" d="M19.5,9.5h-1.1c-0.3-4.2-3.6-7.6-7.8-7.8V0.5C10.5,0.2,10.3,0,10,0l0,0C9.7,0,9.5,0.2,9.5,0.5l0,0v1.1 C5.3,1.9,1.9,5.3,1.6,9.5H0.5C0.2,9.5,0,9.7,0,10s0.2,0.5,0.5,0.5l0,0h1.1c0.3,4.2,3.6,7.6,7.8,7.8v1.1c0,0.3,0.2,0.5,0.5,0.5l0,0 c0.3,0,0.5-0.2,0.5-0.5l0,0v-1.1c4.2-0.3,7.6-3.6,7.8-7.8h1.1c0.3,0,0.5-0.2,0.5-0.5C20,9.7,19.8,9.5,19.5,9.5 M16.6,10.5h0.7 c-0.3,3.6-3.2,6.5-6.8,6.8v-0.8c0-0.3-0.2-0.5-0.5-0.5l0,0c-0.3,0-0.5,0.2-0.5,0.5v0.8C5.8,17,3,14.2,2.7,10.5h0.8 C3.8,10.5,4,10.3,4,10S3.8,9.5,3.5,9.5l0,0H2.7C3,5.8,5.8,3,9.5,2.7v0.8C9.5,3.7,9.7,4,10,4l0,0c0.3,0,0.5-0.2,0.5-0.5V2.7 C14.2,3,17,5.8,17.3,9.5h-0.7c-0.3,0-0.5,0.2-0.5,0.5C16.1,10.3,16.3,10.5,16.6,10.5L16.6,10.5"></path> <circle class="white" cx="10" cy="10" r="3.2"></circle> </g> </svg> </div> </li> <li class="nav-item"> <div class="primary-link-wrapper"> <a class="primary_nav_link" href="https://talosintelligence.com/vulnerability_info"><div class="mobile-nav-icon"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="26px" height="20px" viewBox="0 0 26 20"> <g id="vuln-icon" class="nav-icon"> <path fill="#FFFFFF" d="M24.256,18.49L13.872,0.503C13.692,0.192,13.36,0,13,0c-0.359,0-0.692,0.192-0.872,0.503L1.744,18.49 c-0.18,0.312-0.18,0.695,0,1.006C1.924,19.809,2.257,20,2.616,20h20.769c0.359,0,0.691-0.191,0.871-0.504 C24.436,19.186,24.436,18.803,24.256,18.49 M14.268,18.215h-2.533v-1.85h2.533V18.215z M14.268,15.441h-2.533L10.89,6.515h4.222 L14.268,15.441z"></path> </g> </svg> </div> <span class="top-nav-link-text"> Vulnerability Research </span> </a></div> <input class="sub-nav-trigger" id="vuln-sub-trigger" type="checkbox"> <label class="sub-nav-trigger-label" for="vuln-sub-trigger"> <div class="mobile-nav-icon"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75"> <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle> <g> <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle> </g> </svg> </div> </label> <ul class="sub-nav sub-nav-single-list"> <li class="desktop-hide"> <a href="https://talosintelligence.com/vulnerability_info"><h1>Vulnerability Information</h1> </a></li> <li class="desktop-hide"> <label class="subnav-back-button" for="vuln-sub-trigger">BACK</label> </li> <li><a class="vulnerabilty-info-nav-link" href="https://talosintelligence.com/vulnerability_reports">Vulnerability Reports</a></li> <li><a class="vulnerabilty-info-nav-link" href="https://talosintelligence.com/ms_advisories">Microsoft Advisories</a></li> </ul> <div class="desktop-hide subnav-overlay"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="26px" height="20px" viewBox="0 0 26 20"> <g id="vuln-icon" class="nav-icon"> <path fill="#FFFFFF" d="M24.256,18.49L13.872,0.503C13.692,0.192,13.36,0,13,0c-0.359,0-0.692,0.192-0.872,0.503L1.744,18.49 c-0.18,0.312-0.18,0.695,0,1.006C1.924,19.809,2.257,20,2.616,20h20.769c0.359,0,0.691-0.191,0.871-0.504 C24.436,19.186,24.436,18.803,24.256,18.49 M14.268,18.215h-2.533v-1.85h2.533V18.215z M14.268,15.441h-2.533L10.89,6.515h4.222 L14.268,15.441z"></path> </g> </svg> </div> </li> <li class="nav-item"> <a class="primary_nav_link" href="https://talosintelligence.com/incident_response"> <div class="mobile-nav-icon"> <svg xmlns="http://www.w3.org/2000/svg" width="111.588" height="148.311" viewBox="0 0 111.588 148.311"> <path d="M1.181,128.446v15.7a4.167,4.167,0,0,0,4.167,4.167h100.9a4.167,4.167,0,0,0,4.167-4.167v-15.7a4.167,4.167,0,0,0-4.167-4.167H5.348a4.167,4.167,0,0,0-4.167,4.166M55.8,63.109a3.277,3.277,0,1,1,0,6.553c-10.344,0-20.755,8.578-20.755,18.57a3.277,3.277,0,1,1-6.554,0C28.489,73.947,41.93,63.109,55.8,63.109Zm0-12.016c-21.787,0-39.325,17.81-39.325,39.937v26.7H95.122V91.03c0-22.128-17.537-39.937-39.324-39.937m52.365-38.3a3.291,3.291,0,0,0-2.254,1.024L88.432,31.294a3.283,3.283,0,0,0,4.642,4.644l17.478-17.479a3.278,3.278,0,0,0-2.389-5.666m-105.138,0a3.276,3.276,0,0,0-1.98,5.666L18.522,35.938a3.283,3.283,0,0,0,4.643-4.644L5.687,13.817A3.255,3.255,0,0,0,3.025,12.793ZM55.389.026a3.276,3.276,0,0,0-2.867,3.345V19.642a3.277,3.277,0,1,0,6.554,0V3.371A3.283,3.283,0,0,0,55.389.026Z" fill="#fff"></path> </svg> </div> <span class="top-nav-link-text"> Incident Response </span> </a> </li> <li class="nav-item"> <a class="primary_nav_link" href="https://blog.talosintelligence.com"> <div class="mobile-nav-icon"> <!-- Generator: Adobe Illustrator 16.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0) --><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" width="260px" height="296.5px" viewBox="0 0 260 296.5" enable-background="new 0 0 260 296.5" xml:space="preserve"> <path fill="#FFFFFF" d="M243.586,42.404h-14.448c-0.943-4.513-3.143-8.813-6.616-12.33L201.793,9.098 c-4.7-4.757-10.972-7.377-17.66-7.377c-6.578,0-12.777,2.547-17.457,7.173l-33.875,33.511H17.586c-6.6,0-12,5.399-12,12V226.28 c0,6.6,5.4,12,12,12H153.83l84.21,56.278l-27.448-56.278h32.994c6.6,0,12-5.4,12-12V54.404 C255.586,47.804,250.186,42.404,243.586,42.404z M214.662,48.045c-0.01,0.2-0.021,0.399-0.044,0.599 c-0.008,0.069-0.021,0.139-0.031,0.207c-0.046,0.345-0.113,0.688-0.196,1.026c-0.034,0.137-0.063,0.273-0.103,0.408 c-0.039,0.135-0.087,0.267-0.133,0.399c-0.051,0.151-0.102,0.302-0.16,0.45c-0.049,0.126-0.105,0.249-0.16,0.373 c-0.068,0.153-0.139,0.307-0.216,0.457c-0.059,0.116-0.12,0.23-0.184,0.345c-0.088,0.157-0.181,0.312-0.278,0.465 c-0.065,0.104-0.13,0.206-0.2,0.308c-0.115,0.168-0.239,0.33-0.366,0.492c-0.064,0.081-0.124,0.165-0.19,0.244 c-0.199,0.238-0.409,0.472-0.635,0.694L82.458,182.308l-47.932,12.871l13.427-47.74L177.223,19.561 c1.917-1.895,4.414-2.84,6.911-2.84c2.534,0,5.068,0.975,6.99,2.92l20.726,20.974c0.545,0.552,1.002,1.156,1.39,1.79 c0.574,0.938,0.975,1.951,1.206,2.993c0.004,0.021,0.01,0.04,0.014,0.06c0.049,0.226,0.086,0.453,0.119,0.682 c0.008,0.06,0.017,0.118,0.024,0.178c0.026,0.211,0.045,0.424,0.058,0.636c0.004,0.077,0.007,0.153,0.009,0.23 c0.007,0.203,0.011,0.407,0.005,0.61C214.673,47.877,214.666,47.961,214.662,48.045z"></path> </svg> </div> <span class="top-nav-link-text">Blog</span> </a> </li> <li class="nav-item"> <a class="primary_nav_link" href="https://support.talosintelligence.com"> <div class="mobile-nav-icon"> <svg xmlns="http://www.w3.org/2000/svg" width="26px" height="20px" viewBox="0 0 123.17 159.292"> <path d="M61.59,0,0,17.069v85.32c0,23.472,61.59,56.9,61.59,56.9s61.58-36.288,61.58-56.9V17.069Zm-.433,149.746C38.314,136.662,8.128,114.3,8.128,102.389V23.239l53.029-14.7Z" fill="#fff"></path> </svg> </div> <span class="top-nav-link-text">Support</span> </a> </li> </ul> <!-- <li class="nav-item desktop-hide">--> <!-- <button class="search-button" data-ghost-search><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"></path></svg> <span>Search Blog</span></button>--> <!-- </li>--> <ul class="secondary-nav-list"> <div class="more-desktop-link"> <div class="more-link-wrapper"> <span class="more-nav-link"> <div class="desktop-nav-icon more-menu-icon"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="22px" height="16px" viewBox="0 0 22 16"> <g id="menu-icon"> <path fill="#FFFFFF" d="M20.5,3h-19C0.672,3,0,2.329,0,1.5S0.672,0,1.5,0h19C21.328,0,22,0.671,22,1.5S21.328,3,20.5,3z"></path> <path fill="#FFFFFF" d="M20.5,9.5h-19C0.672,9.5,0,8.828,0,8c0-0.829,0.672-1.5,1.5-1.5h19C21.328,6.5,22,7.171,22,8 C22,8.828,21.328,9.5,20.5,9.5z"></path> <path fill="#FFFFFF" d="M20.5,16h-19C0.672,16,0,15.328,0,14.5S0.672,13,1.5,13h19c0.828,0,1.5,0.672,1.5,1.5S21.328,16,20.5,16z"></path> </g> </svg> </div> <span class="top-nav-link-text top-nav-more-text"> More </span> </span> </div> </div> <li class="nav-item more-text-link"> <div class="more-link-wrapper more-link-wrapper-mobile"> <span class="more-nav-link"> <div class="mobile-nav-icon"><!-- Generator: Adobe Illustrator 24.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) --><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" style="enable-background:new 0 0 20 20;" width="25px" height="25px" xml:space="preserve"> <style type="text/css"> .white{fill:#FFFFFF;} </style> <path class="white" d="M19.4,17.1c0,0.1-0.1,0-0.2,0c0,0-1.3-0.9-2-1.4c-0.2-0.1-0.5-0.1-0.6,0.1c-0.3,0.3-0.6,0.8-0.9,1.3 c-0.1,0.2-0.1,0.5,0.1,0.6l2,1.5c0.1,0,0,0.1,0.1,0.2c0,0.1,0,0.1-0.1,0.2c-1.2,0.5-2.6,0.2-3.5-0.7c-0.8-0.9-1-2-0.7-3.1L4.5,6.5 c-1,0.3-2.3,0-3-0.9c-0.8-0.9-1.1-1.7-1-2.7c0-0.1,0-0.1,0.1-0.2c0.1,0,0.2,0.1,0.2,0.1l2,1.5C3,4.4,3.3,4.5,3.4,4.2 c0,0,0.5-0.8,0.9-1.3c0.1-0.2,0.1-0.5-0.1-0.6L2.3,0.9c-0.1,0,0-0.1-0.1-0.3c0-0.1,0-0.1,0.1-0.2C3.5-0.1,5,0.2,5.8,1.1 c0.8,0.9,1,2,0.7,3.1l9.1,9.3c1-0.3,2.3,0,3,0.9c0.7,0.7,0.9,1.5,0.9,2.5C19.5,16.9,19.5,17,19.4,17.1z"></path> </svg> </div> <span class="top-nav-link-text top-nav-more-text"> Security Resources </span> </span> </div> <input class="sub-nav-trigger" id="security-resources-sub-trigger" type="checkbox"> <label class="sub-nav-trigger-label" for="security-resources-sub-trigger"> <div class="mobile-nav-icon"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75"> <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle> <g> <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle> </g> </svg> </div> </label> <div class="sub-nav sub-nav-multiple-list sub-nav-multiple-list-left"> <div class="sub-nav-multiple-wrapper"> <div class="sub-nav-list-top-of-mobile-wrapper"> <h1 class="sub-nav-list-header sub-nav-list-top-of-mobile">Security Resources</h1> <ul class="sub-nav-list"> <li class="desktop-hide"> <label class="subnav-back-button" for="security-resources-sub-trigger">BACK</label> </li> </ul> </div> <div class="sub-nav-list-item-wrapper"> <span class="sub-nav-desktop-header uppercase">Security Resources</span> <ul class="sub-nav-list"> <li> <a href="https://talosintelligence.com/software"><span>Open Source Security Tools</span> </a></li> <li> <a href="https://talosintelligence.com/categories"><span>Intelligence Categories Reference</span> </a></li> <li> <a href="https://talosintelligence.com/secure-endpoint-naming"><span>Secure Endpoint Naming Reference</span> </a></li> </ul> </div> </div> </div> <div class="desktop-hide subnav-overlay"><!-- Generator: Adobe Illustrator 24.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) --><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" style="enable-background:new 0 0 20 20;" width="25px" height="25px" xml:space="preserve"> <style type="text/css"> .white{fill:#FFFFFF;} </style> <path class="white" d="M19.4,17.1c0,0.1-0.1,0-0.2,0c0,0-1.3-0.9-2-1.4c-0.2-0.1-0.5-0.1-0.6,0.1c-0.3,0.3-0.6,0.8-0.9,1.3 c-0.1,0.2-0.1,0.5,0.1,0.6l2,1.5c0.1,0,0,0.1,0.1,0.2c0,0.1,0,0.1-0.1,0.2c-1.2,0.5-2.6,0.2-3.5-0.7c-0.8-0.9-1-2-0.7-3.1L4.5,6.5 c-1,0.3-2.3,0-3-0.9c-0.8-0.9-1.1-1.7-1-2.7c0-0.1,0-0.1,0.1-0.2c0.1,0,0.2,0.1,0.2,0.1l2,1.5C3,4.4,3.3,4.5,3.4,4.2 c0,0,0.5-0.8,0.9-1.3c0.1-0.2,0.1-0.5-0.1-0.6L2.3,0.9c-0.1,0,0-0.1-0.1-0.3c0-0.1,0-0.1,0.1-0.2C3.5-0.1,5,0.2,5.8,1.1 c0.8,0.9,1,2,0.7,3.1l9.1,9.3c1-0.3,2.3,0,3,0.9c0.7,0.7,0.9,1.5,0.9,2.5C19.5,16.9,19.5,17,19.4,17.1z"></path> </svg> </div> </li> <li class="nav-item"> <div class="more-link-wrapper more-link-wrapper-mobile"> <span class="more-nav-link"> <div class="mobile-nav-icon"><!-- Generator: Adobe Illustrator 24.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) --><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" width="25px" height="25px" style="enable-background:new 0 0 20 20;" xml:space="preserve"> <style type="text/css"> .sticoncomment{fill-rule:evenodd;clip-rule:evenodd;fill:#FFFFFF;} </style> <path class="sticoncomment" d="M13.6,7.1H6.4c-0.3,0-0.6-0.3-0.6-0.6c0-0.3,0.3-0.6,0.6-0.6l7.2,0c0.3,0,0.6,0.3,0.6,0.6 C14.2,6.8,13.9,7.1,13.6,7.1L13.6,7.1z M13.6,9.4H6.4c-0.3,0-0.6-0.3-0.6-0.6s0.3-0.6,0.6-0.6l7.2,0c0.3,0,0.6,0.3,0.6,0.6 C14.2,9.2,13.9,9.4,13.6,9.4L13.6,9.4z M11.5,11.7H6.4c-0.3,0-0.6-0.3-0.6-0.6c0-0.3,0.3-0.6,0.6-0.6h5.1c0.3,0,0.6,0.3,0.6,0.6 C12.1,11.5,11.8,11.7,11.5,11.7z M15.8,3H4.2C3.5,3,3,3.5,3,4.2V17l2.8-2.3h10c0.6,0,1.2-0.5,1.2-1.2V4.2C17,3.5,16.5,3,15.8,3 L15.8,3z"></path> </svg> </div> <span class="top-nav-link-text top-nav-more-text"> Media </span> </span> </div> <input class="sub-nav-trigger" id="media-sub-trigger" type="checkbox"> <label class="sub-nav-trigger-label" for="media-sub-trigger"> <div class="mobile-nav-icon"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75"> <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle> <g> <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle> </g> </svg> </div> </label> <div class="sub-nav sub-nav-multiple-list sub-nav-multiple-list-middle"> <div class="sub-nav-multiple-wrapper"> <div class="sub-nav-list-top-of-mobile-wrapper"> <h1 class="sub-nav-list-header sub-nav-list-top-of-mobile">Media</h1> <ul class="sub-nav-list"> <li class="desktop-hide"> <label class="subnav-back-button" for="media-sub-trigger">BACK</label> </li> </ul> </div> <div class="sub-nav-list-item-wrapper"> <span class="sub-nav-desktop-header uppercase">Media</span> <ul class="sub-nav-list"> <li> <a href="https://blog.talosintelligence.com"><span>Talos Intelligence Blog</span> </a></li> <li> <a href="https://blog.talosintelligence.com/category/threat-source-newsletter/"><span>Threat Source Newsletter</span> </a></li> <li> <a href="https://talosintelligence.com/podcasts/shows/beers_with_talos"><span>Beers with Talos Podcast</span> </a></li> <li> <a href="https://talosintelligence.com/podcasts/shows/talos_takes"><span>Talos Takes Podcast</span> </a></li> <li> <a target="_blank" href="https://www.youtube.com/channel/UCPZ1DtzQkStYBSG3GTNoyfg/featured"><span>Talos Videos</span> </a></li> </ul> </div> </div> </div> <div class="desktop-hide subnav-overlay"><!-- Generator: Adobe Illustrator 24.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) --><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" viewBox="0 0 20 20" width="25px" height="25px" style="enable-background:new 0 0 20 20;" xml:space="preserve"> <style type="text/css"> .sticoncomment{fill-rule:evenodd;clip-rule:evenodd;fill:#FFFFFF;} </style> <path class="sticoncomment" d="M13.6,7.1H6.4c-0.3,0-0.6-0.3-0.6-0.6c0-0.3,0.3-0.6,0.6-0.6l7.2,0c0.3,0,0.6,0.3,0.6,0.6 C14.2,6.8,13.9,7.1,13.6,7.1L13.6,7.1z M13.6,9.4H6.4c-0.3,0-0.6-0.3-0.6-0.6s0.3-0.6,0.6-0.6l7.2,0c0.3,0,0.6,0.3,0.6,0.6 C14.2,9.2,13.9,9.4,13.6,9.4L13.6,9.4z M11.5,11.7H6.4c-0.3,0-0.6-0.3-0.6-0.6c0-0.3,0.3-0.6,0.6-0.6h5.1c0.3,0,0.6,0.3,0.6,0.6 C12.1,11.5,11.8,11.7,11.5,11.7z M15.8,3H4.2C3.5,3,3,3.5,3,4.2V17l2.8-2.3h10c0.6,0,1.2-0.5,1.2-1.2V4.2C17,3.5,16.5,3,15.8,3 L15.8,3z"></path> </svg> </div> </li> <li class="nav-item"> <div class="more-link-wrapper more-link-wrapper-mobile"> <span class="more-nav-link"> <div class="mobile-nav-icon"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="25px" height="25px" viewBox="0 0 55 55"> <g> <g class="mobile-nav-home"> <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M45.201,12.343c0.378,0.48,0.758,0.925,1.096,1.401 c2.975,4.207,4.543,8.876,4.494,14.044c-0.05,5.452-1.643,10.386-5.186,14.593c-3.484,4.133-7.929,6.73-13.182,7.895 c-6.313,1.398-12.216,0.275-17.695-3.131c-0.441-0.273-0.847-0.6-1.266-0.904c-0.11-0.078-0.208-0.174-0.337-0.287 c0.127-0.141,0.246-0.27,0.366-0.398c0.887-0.949,1.765-1.904,2.663-2.844c0.114-0.119,0.321-0.217,0.485-0.217 c3.658-0.006,7.318,0,10.975,0.008c3.458,0.006,6.913,0.02,10.369,0.02c0.957,0,1.871-0.193,2.62-0.844 c0.797-0.693,1.157-1.596,1.157-2.643c0.001-7.533,0.003-15.067-0.005-22.601c-0.002-0.309,0.088-0.524,0.3-0.743 C43.098,14.598,44.127,13.49,45.201,12.343"></path> <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M41.402,8.822c-0.99,1.027-1.994,2.021-2.935,3.072 c-0.312,0.35-0.616,0.416-1.036,0.415c-6.98-0.009-13.957-0.007-20.938-0.007c-2.039,0-3.561,1.514-3.561,3.557 c0,6.504,0.002,13.008,0.006,19.512c0.002,0.973,0.011,1.943,0.004,2.914c0,0.133-0.04,0.301-0.127,0.393 c-1.069,1.162-2.15,2.314-3.229,3.469c-0.021,0.023-0.052,0.039-0.109,0.08c-0.159-0.188-0.323-0.369-0.471-0.562 c-2.535-3.348-4.119-7.102-4.605-11.268c-0.61-5.229,0.194-10.229,2.835-14.839c2.669-4.664,6.655-7.805,11.618-9.75 c3.205-1.257,6.533-1.852,9.977-1.621c4.478,0.298,8.553,1.754,12.227,4.325c0.101,0.072,0.197,0.151,0.291,0.229 C41.364,8.755,41.374,8.778,41.402,8.822"></path> <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M39.799,12.47c0.873-0.911,1.749-1.829,2.676-2.797 c0.605,0.564,1.195,1.112,1.816,1.691c-0.941,0.985-1.817,1.903-2.703,2.83c-0.276-0.339-0.511-0.688-0.807-0.975 C40.492,12.941,40.145,12.728,39.799,12.47"></path> <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M10.35,43.279c0.969-1.016,1.885-1.977,2.76-2.893 c0.213,0.369,0.376,0.762,0.639,1.072c0.265,0.312,0.627,0.539,0.98,0.832c-0.853,0.891-1.713,1.791-2.624,2.746 C11.513,44.445,10.939,43.869,10.35,43.279"></path> </g> </g> </svg> </div> <span class="top-nav-link-text top-nav-more-text"> Company </span> </span> </div> <input class="sub-nav-trigger" id="company-sub-trigger" type="checkbox"> <label class="sub-nav-trigger-label" for="company-sub-trigger"> <div class="mobile-nav-icon"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="48.167px" height="47.75px" viewBox="0 0 48.167 47.75"> <circle opacity="0.4" fill="none" stroke="#FFFFFF" stroke-miterlimit="10" cx="24.083" cy="23.875" r="22"></circle> <g> <circle fill="#FFFFFF" cx="24.083" cy="16.068" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="23.875" r="2.496"></circle> <circle fill="#FFFFFF" cx="24.083" cy="31.682" r="2.496"></circle> </g> </svg> </div> </label> <div class="sub-nav sub-nav-multiple-list sub-nav-multiple-list-right"> <div class="sub-nav-multiple-wrapper"> <div class="sub-nav-list-top-of-mobile-wrapper"> <h1 class="sub-nav-list-header sub-nav-list-top-of-mobile">Company</h1> <ul class="sub-nav-list"> <li class="desktop-hide"> <label class="subnav-back-button" for="company-sub-trigger">BACK</label> </li> </ul> </div> <div class="sub-nav-list-item-wrapper"> <span class="sub-nav-desktop-header uppercase">Company</span> <ul class="sub-nav-list"> <li> <a href="https://talosintelligence.com/about"><span>About Talos</span> </a></li> <li> <a href="https://talosintelligence.com/careers"><span>Careers</span> </a></li> </ul> </div> </div> </div> <div class="desktop-hide subnav-overlay"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="25px" height="25px" viewBox="0 0 55 55"> <g> <g class="mobile-nav-home"> <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M45.201,12.343c0.378,0.48,0.758,0.925,1.096,1.401 c2.975,4.207,4.543,8.876,4.494,14.044c-0.05,5.452-1.643,10.386-5.186,14.593c-3.484,4.133-7.929,6.73-13.182,7.895 c-6.313,1.398-12.216,0.275-17.695-3.131c-0.441-0.273-0.847-0.6-1.266-0.904c-0.11-0.078-0.208-0.174-0.337-0.287 c0.127-0.141,0.246-0.27,0.366-0.398c0.887-0.949,1.765-1.904,2.663-2.844c0.114-0.119,0.321-0.217,0.485-0.217 c3.658-0.006,7.318,0,10.975,0.008c3.458,0.006,6.913,0.02,10.369,0.02c0.957,0,1.871-0.193,2.62-0.844 c0.797-0.693,1.157-1.596,1.157-2.643c0.001-7.533,0.003-15.067-0.005-22.601c-0.002-0.309,0.088-0.524,0.3-0.743 C43.098,14.598,44.127,13.49,45.201,12.343"></path> <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M41.402,8.822c-0.99,1.027-1.994,2.021-2.935,3.072 c-0.312,0.35-0.616,0.416-1.036,0.415c-6.98-0.009-13.957-0.007-20.938-0.007c-2.039,0-3.561,1.514-3.561,3.557 c0,6.504,0.002,13.008,0.006,19.512c0.002,0.973,0.011,1.943,0.004,2.914c0,0.133-0.04,0.301-0.127,0.393 c-1.069,1.162-2.15,2.314-3.229,3.469c-0.021,0.023-0.052,0.039-0.109,0.08c-0.159-0.188-0.323-0.369-0.471-0.562 c-2.535-3.348-4.119-7.102-4.605-11.268c-0.61-5.229,0.194-10.229,2.835-14.839c2.669-4.664,6.655-7.805,11.618-9.75 c3.205-1.257,6.533-1.852,9.977-1.621c4.478,0.298,8.553,1.754,12.227,4.325c0.101,0.072,0.197,0.151,0.291,0.229 C41.364,8.755,41.374,8.778,41.402,8.822"></path> <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M39.799,12.47c0.873-0.911,1.749-1.829,2.676-2.797 c0.605,0.564,1.195,1.112,1.816,1.691c-0.941,0.985-1.817,1.903-2.703,2.83c-0.276-0.339-0.511-0.688-0.807-0.975 C40.492,12.941,40.145,12.728,39.799,12.47"></path> <path fill-rule="evenodd" clip-rule="evenodd" fill="#FFFFFF" d="M10.35,43.279c0.969-1.016,1.885-1.977,2.76-2.893 c0.213,0.369,0.376,0.762,0.639,1.072c0.265,0.312,0.627,0.539,0.98,0.832c-0.853,0.891-1.713,1.791-2.624,2.746 C11.513,44.445,10.939,43.869,10.35,43.279"></path> </g> </g> </svg> </div> </li> </ul> <div class="nav-search-wrapper"> <button class="search-button" data-ghost-search> <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z"></path></svg> </button> </div> </div> </div> </nav> <main id="site-main"> <div class="container-fluid"> <div class="row main-content-row"> <div class="col"> <div class="post-full-content"> <article class="post blog-series-article"> <h1 class="text-center">A Deep Dive into Lokibot Infection Chain</h1> <div class="text-center m-1"> <div class="post-author"> <span>By </span> <a href="https://blog.talosintelligence.com/author/muhammad/">Muhammad Irshad</a>, <a href="https://blog.talosintelligence.com/author/holger-unterbrink/">Holger Unterbrink</a> </div> <br/> <time class="post-datetime" datetime="January 6, 2021 09:00"> Wednesday, January 6, 2021 09:00 </time> <div class="m-3"> </div> </div> <section class="post-content-wrapper mt-5"> <div class="post-content"> <!--kg-card-begin: html--> <li>Lokibot is one of the <a target="_blank" href="https://blog.talosintelligence.com/current-events-lures">most well-known information stealers on the malware landscape</a>. In this post, we'll provide a technical breakdown of one of the latest Lokibot campaigns.</li><li> Talos also has a new script to unpack the dropper's third stage.</li><li> The actors behind Lokibot usually have the ability to steal multiple types of credentials and other sensitive information. This new campaign utilizes a complex, multi-stage, multi-layered dropper to execute Lokibot on the victim machine.</li><span><a></a></span></ul><h4>What's new? </h4> This sample is using the known technique of blurring images in documents to encourage users to enable macros. While quite simple this is fairly common and effective against users. This write up is intended to be a deep dive for reverse engineers into the latest tricks Lokibot is using to infect user machines.<h4>How did it work? </h4><p> The attack starts with a malicious XLS attachment, sent in a phishing email, containing an obfuscated macro that downloads a heavily packed second-stage downloader. The second stage fetches the encrypted third-stage, which includes three layered encrypted Lokibot. After a privilege escalation, the third stage deploys Lokibot. The Image below shows the infection chain.<br></p><p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-KLZmf9Jt5vc/X_WNfNLae5I/AAAAAAAABxk/kyOSJWewQBwyOIgdFu1LVMuRffDe5DlrACLcBGAsYHQ/s1999/image16.jpg"><img height="280" src="https://blog.talosintelligence.com/content/images/-KLZmf9Jt5vc/X_WNfNLae5I/AAAAAAAABxk/kyOSJWewQBwyOIgdFu1LVMuRffDe5DlrACLcBGAsYHQ/w640-h280/image16.jpg" width="640"></a></p><br><h4>So what? </h4><p> Defenders need to be constantly vigilant and monitor the behavior of systems within their network. This blog provides a detailed overview of how complex the infection chain is for Lokibot and which tricks the adversaries are using to bypass common security features and tools of modern operating systems.</p><h2>First-stage analysis</h2><p> When the user opens the phishing email, it presents a Spanish social engineering message ("Payment: Find scheduled payment dates attached"). The figure below shows a screenshot of one of the emails we looked at.<br></p><p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-evpb97E-0Ag/X_WNotZyc9I/AAAAAAAABxo/5GabIahVv34Biv751z28IvwKrDifvSxZwCLcBGAsYHQ/s1033/image13.png"><img height="318" src="https://blog.talosintelligence.com/content/images/-evpb97E-0Ag/X_WNotZyc9I/AAAAAAAABxo/5GabIahVv34Biv751z28IvwKrDifvSxZwCLcBGAsYHQ/w640-h318/image13.png" width="640"></a></p><p> The Excel sheet uses another common social engineering technique by showing a blurred-out image of a table with the text "Changing the size of this document, please wait," in Spanish. If the victim clicks the "Enable Content" button, thinking it will make the image visible, a malicious macro is executed.<br></p><p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-lXQNvTdvc8o/X_WNxKyUQwI/AAAAAAAABxw/p2j-TXUYrGsPe1Yn3ICe2bNhcEIMZTVEACLcBGAsYHQ/s1999/image12.png"><img height="348" src="https://blog.talosintelligence.com/content/images/-lXQNvTdvc8o/X_WNxKyUQwI/AAAAAAAABxw/p2j-TXUYrGsPe1Yn3ICe2bNhcEIMZTVEACLcBGAsYHQ/w640-h348/image12.png" width="640"></a></p><p>The macro is mainly obfuscated by using long hexadecimal variable names. The screenshot below shows a portion of the `Workbook_Open` function of this macro.<br></p><p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-bwj40LCWOuM/X_WN8pB09iI/AAAAAAAABx4/bjJc3pH0WA0CCzAQ3wXbPCS8U-9j2TMxACLcBGAsYHQ/s698/image20.png"><img height="362" src="https://blog.talosintelligence.com/content/images/-bwj40LCWOuM/X_WN8pB09iI/AAAAAAAABx4/bjJc3pH0WA0CCzAQ3wXbPCS8U-9j2TMxACLcBGAsYHQ/w640-h362/image20.png" width="640"></a><br></p><p>The deobfuscated macro is shown below.<br></p><p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-HtARqsrslXE/X_WOCgjaChI/AAAAAAAAByA/bF2QCVCMb0wHSNhHkNUwvlw4MWhDT78ewCLcBGAsYHQ/s985/image4.png"><img height="268" src="https://blog.talosintelligence.com/content/images/-HtARqsrslXE/X_WOCgjaChI/AAAAAAAAByA/bF2QCVCMb0wHSNhHkNUwvlw4MWhDT78ewCLcBGAsYHQ/w640-h268/image4.png" width="640"></a><br></p><p>It decrypts the URL for the second-stage from hardcoded bytes, saves it to the "Templates" folder, and executes it. The traffic generated from the macro is shown below.<br></p><p><a target="_blank" href="https://blog.talosintelligence.com/content/images/--70CaKOTDB0/X_WOMadU4-I/AAAAAAAAByI/fISwui0w0k4ejFf1JHzWebHPIwoUKCxHwCLcBGAsYHQ/s572/image26.png"><img height="330" src="https://blog.talosintelligence.com/content/images/--70CaKOTDB0/X_WOMadU4-I/AAAAAAAAByI/fISwui0w0k4ejFf1JHzWebHPIwoUKCxHwCLcBGAsYHQ/w640-h330/image26.png" width="640"></a></p><h2>Second-stage analysis</h2> The second-stage executable is packed with a Delphi-based packer. <br><h3>Packer analysis</h3><p> The packer contains a timer `xvv` timer under `Form_main`, which unpacks the payload. The timer and its handler code are shown below.<br></p><p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-imNfc7-Ffjo/X_WOjlAEsMI/AAAAAAAAByU/qWrjmqYSjOo4VFxM5W0jAZKGi-XOmTMqACLcBGAsYHQ/s771/image23.png"><img height="300" src="https://blog.talosintelligence.com/content/images/-imNfc7-Ffjo/X_WOjlAEsMI/AAAAAAAAByU/qWrjmqYSjOo4VFxM5W0jAZKGi-XOmTMqACLcBGAsYHQ/w640-h300/image23.png" width="640"></a><br></p><p>The unpacking function performs the following steps:<br></p><ol><li> Loads the image resource with name `T__6541957882` into memory.</li><li> Finds the anchor `WWEX` and copies data following to the new buffer.</li><li> Adds `0xEE` to the bytes to decode the DLL.</li><li> Reflectively loads decoded DLL into memory and executes it.</li></ol><p> The figure below shows the resource image that contains the encoded executable.<span><a target="_blank" href="https://blog.talosintelligence.com/content/images/-zudPRMPgGPQ/X_WOuykcYSI/AAAAAAAAByY/33tvde_EEfQbT2eHVLWys0FUeDJjVpwPgCLcBGAsYHQ/s733/image25.png"><img height="258" src="https://blog.talosintelligence.com/content/images/-zudPRMPgGPQ/X_WOuykcYSI/AAAAAAAAByY/33tvde_EEfQbT2eHVLWys0FUeDJjVpwPgCLcBGAsYHQ/w640-h258/image25.png" width="640"></a></span></p><br> The following image shows the location of the embedded executable following anchor `WWEX`.<p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-hdd3GJ5cbFA/X_WPEx-YFkI/AAAAAAAAByo/eL6CNV60bkcf_le1HSDl3zdZlsTt-QHIgCLcBGAsYHQ/s603/image34.png"><img height="234" src="https://blog.talosintelligence.com/content/images/-hdd3GJ5cbFA/X_WPEx-YFkI/AAAAAAAAByo/eL6CNV60bkcf_le1HSDl3zdZlsTt-QHIgCLcBGAsYHQ/w640-h234/image34.png" width="640"></a><br></p><p> The following code shows the code and decoded DLL.<a target="_blank" href="https://blog.talosintelligence.com/content/images/-nbF5-WAjkmg/X_WPLaQd6_I/AAAAAAAAByw/3So3nyS3dg4Wm965XlolCxGypWivinBHACLcBGAsYHQ/s708/image27.png"><img height="538" src="https://blog.talosintelligence.com/content/images/-nbF5-WAjkmg/X_WPLaQd6_I/AAAAAAAAByw/3So3nyS3dg4Wm965XlolCxGypWivinBHACLcBGAsYHQ/w640-h538/image27.png" width="640"></a></p><h3>Unpacked DLL analysis</h3><p> The unpacked DLL is also written in Delphi. It fetches the third payload from the hardcoded URL.<br> The DLL sets a timer, as shown below, which will execute the downloader function periodically.<br></p><p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-OnhCgL9QRBE/X_WPaacSEwI/AAAAAAAABy8/WfVEO8q9a9g6Y_amlkwcLNLWgVVs4KPwQCLcBGAsYHQ/s420/image11.png"><img height="284" src="https://blog.talosintelligence.com/content/images/-OnhCgL9QRBE/X_WPaacSEwI/AAAAAAAABy8/WfVEO8q9a9g6Y_amlkwcLNLWgVVs4KPwQCLcBGAsYHQ/w640-h284/image11.png" width="640"></a></p><p> The `Download3rdStage` will first decode `https://discord.com` and try to connect to it. Then, it performs a time-based anti-debug check, as shown in the code below. If any of these checks fail, the DLL will not download the third stage.</p><p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-SqUvko9W6hA/X_WPtMaueMI/AAAAAAAABzM/xvMJPgpfVCcr9al-ZylgoHpJidSZTWwiQCLcBGAsYHQ/s322/image33.png"><img height="498" src="https://blog.talosintelligence.com/content/images/-SqUvko9W6hA/X_WPtMaueMI/AAAAAAAABzM/xvMJPgpfVCcr9al-ZylgoHpJidSZTWwiQCLcBGAsYHQ/w640-h498/image33.png" width="640"></a></p>聽 <br> Once the checks have passed, DLL will decrypt the hardcoded third-stage URL, as shown in the code below, and send the HTTP request.<p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-IVaeLC0elOk/X_WP1AKl-YI/AAAAAAAABzU/XFZD7r2pktsoHOFYu2HNcdmFgQ5DeAteQCLcBGAsYHQ/s907/image18.png"><img height="160" src="https://blog.talosintelligence.com/content/images/-IVaeLC0elOk/X_WP1AKl-YI/AAAAAAAABzU/XFZD7r2pktsoHOFYu2HNcdmFgQ5DeAteQCLcBGAsYHQ/w640-h160/image18.png" width="640"></a></p><p>In response to the request, the server sends a ~618KB long hex string, as shown below.</p><p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-JVR4PURkfvw/X_WP_AfqDFI/AAAAAAAABzc/qTI9uSa0BVcgCdRhTxAzsSxmlMkWmxnTQCLcBGAsYHQ/s667/image14.png"><img height="306" src="https://blog.talosintelligence.com/content/images/-JVR4PURkfvw/X_WP_AfqDFI/AAAAAAAABzc/qTI9uSa0BVcgCdRhTxAzsSxmlMkWmxnTQCLcBGAsYHQ/w640-h306/image14.png" width="640"></a></p><p> The DLL decodes the hex string using the following steps:<br></p><ol><li> Reverse the hex string.</li><li> Convert hexadecimal digits to bytes (unhexlify).</li><li> XOR decode with hardcoded key "ZKkz8PH0".</li></ol><p> We have written a small <a target="_blank" href="https://gist.github.com/irshadqemu/68a4db9b3f8f4f205e17f6050ffbb652#file-unpack_3rdstage_lokibot-py">Python script</a> to decrypt the third stage. The same decryption method was also used to decrypt the hardcoded command and control (C2).The resulting file is also a DLL, which the second stage reflectively loads.<a target="_blank" href="https://blog.talosintelligence.com/content/images/-yGowvtZoMk0/X_WQKsASoAI/AAAAAAAABzk/ZMEwn9UJfas6yTUVvfNFXVrB6PHWtjVzACLcBGAsYHQ/s1750/image2.png"><img height="436" src="https://blog.talosintelligence.com/content/images/-yGowvtZoMk0/X_WQKsASoAI/AAAAAAAABzk/ZMEwn9UJfas6yTUVvfNFXVrB6PHWtjVzACLcBGAsYHQ/w640-h436/image2.png" width="640"></a></p><br><h2>Third-stage analysis</h2><div><p> The third stage is also written in Delphi. At the start, it loads a sizable binary resource named `DVCLAL` into memory. It then generates the key `7x21zoom8675309` from hard coded bytes. The key is then used to decrypt the resource data using a custom encryption algorithm. The malware then recovers the configuration structure from decrypted resource data. The structure fields are delimited by string `*()%@5YT!@#G__T@#$%^&*()__#@$#57$#!@`.</p><p> The decryption algorithm is shown below.</p></div><p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-0tkm9L9nxnk/X_WQkXc6U_I/AAAAAAAABzw/_Aak8kIohKkIKiUaUAvMJCIKxdIMJpl_gCLcBGAsYHQ/s655/image10.png"><img height="532" src="https://blog.talosintelligence.com/content/images/-0tkm9L9nxnk/X_WQkXc6U_I/AAAAAAAABzw/_Aak8kIohKkIKiUaUAvMJCIKxdIMJpl_gCLcBGAsYHQ/w640-h532/image10.png" width="640"></a><br></p><p>The hex dump below shows a structure field highlighted separated by delimiters.</p><p><span><a target="_blank" href="https://blog.talosintelligence.com/content/images/-ezM1PkQ6uCM/X_WQz2ipmkI/AAAAAAAAB0A/U7XzkJGa2kwzXGfjiUQw38Aj0zeOz9gegCLcBGAsYHQ/s730/image30.png"><img height="200" src="https://blog.talosintelligence.com/content/images/-ezM1PkQ6uCM/X_WQz2ipmkI/AAAAAAAAB0A/U7XzkJGa2kwzXGfjiUQw38Aj0zeOz9gegCLcBGAsYHQ/w640-h200/image30.png" width="640"></a></span></p> <br> The configuration structure layout is shown below. <p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-zjr_QXlGatE/X_WQ9Is9Y5I/AAAAAAAAB0I/bo6bmIB7V_YcUJE8TZrNemGAqlWA4d_xwCLcBGAsYHQ/s1458/image31.jpg"><img height="374" src="https://blog.talosintelligence.com/content/images/-zjr_QXlGatE/X_WQ9Is9Y5I/AAAAAAAAB0I/bo6bmIB7V_YcUJE8TZrNemGAqlWA4d_xwCLcBGAsYHQ/w640-h374/image31.jpg" width="640"></a><br></p><div><p>Injecting malicious DLL to Notepad.exe</p><p> Then, the malware will check if `InjectDLLToNotepadFlag` is set and `reverse_str(FileName) + ".url"` (mheX.url) file doesn't exist in C:\Users\<username>\AppData\Local\`. If yes, it will inject malicious DLL into Notepad.exe using the following steps:</p></div><ol><li> Launch a Notepad.exe in the suspended state (dwCreationFlag = CREATE_SUSPENDED).</li><li> Get the imported DLL name from the malicious DLL's import table (the first one is "kernel32.dll") and write to the suspended process.</li><li> Write the following 12-byte structure containing addresses of kernel32: LoadLibrary, kernel32.sleep, and DLL string. <p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-E9kMDjRBy28/X_WRMdk6XYI/AAAAAAAAB0Q/TmpDK7EcLIQTS3xKhvt6vWtcn9qyYscsACLcBGAsYHQ/s387/image32.png"><img height="106" src="https://blog.talosintelligence.com/content/images/-E9kMDjRBy28/X_WRMdk6XYI/AAAAAAAAB0Q/TmpDK7EcLIQTS3xKhvt6vWtcn9qyYscsACLcBGAsYHQ/w640-h106/image32.png" width="640"></a></p><br></li><li> Write a 210-bytes shellcode to Notepad.exe.<p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-78MFMIQUiEg/X_WRVLHFncI/AAAAAAAAB0Y/6VUrc6V0fBAg8o6YZIhIkG3IpFzYHlZcwCLcBGAsYHQ/s522/image5.png"><img height="212" src="https://blog.talosintelligence.com/content/images/-78MFMIQUiEg/X_WRVLHFncI/AAAAAAAAB0Y/6VUrc6V0fBAg8o6YZIhIkG3IpFzYHlZcwCLcBGAsYHQ/w640-h212/image5.png" width="640"></a></p><br></li><li> Execute this shellcode in Notepad.exe using `CreateRemoteThread` and pass the pointer to the 12-byte structure shown above. This shellcode loads the DLL ("kernel32.dll") and then goes into an infinite sleep loop.</li><li> Write DLL ("kernel32.dll") string again to notepad.exe.</li><li> Write the 20-byte structure to Notepad.exe containing pointers to important APIs and two strings: imported DLL name and imported API name.<p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-uR2hiPnKKS4/X_WReznxPzI/AAAAAAAAB0c/EOjbqo7giy49z6NNpIJcc93y0GaljKNcwCLcBGAsYHQ/s440/image17.png"><img height="152" src="https://blog.talosintelligence.com/content/images/-uR2hiPnKKS4/X_WReznxPzI/AAAAAAAAB0c/EOjbqo7giy49z6NNpIJcc93y0GaljKNcwCLcBGAsYHQ/w640-h152/image17.png" width="640"></a></p></li><li> <br>Write 144 bytes of shellcode to Notepad.exe.<p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-Tm-rds4N2tI/X_WRsVzBHEI/AAAAAAAAB0k/JrVxHiItI84IArKYbNrmuQdkPZQ9pq-cwCLcBGAsYHQ/s526/image28.png"><img height="150" src="https://blog.talosintelligence.com/content/images/-Tm-rds4N2tI/X_WRsVzBHEI/AAAAAAAAB0k/JrVxHiItI84IArKYbNrmuQdkPZQ9pq-cwCLcBGAsYHQ/w640-h150/image28.png" width="640"></a></p><br></li><li> Execute this shellcode in Notepad.exe using `CreateRemoteThread` and pass the pointer to the 20-byte structure from step 7 as param. This shellcode will resolve the import pointed by the last variable of the structure in step 7, and then exits using `RtlExistUserThread`.</li><li> Repeat Steps 2 - 9 for all of the imported DLLs and imported functions in the malicious DLL's import table.</li><li> Write malicious DLL to Notepad.exe.</li><li> Write an eight-byte structure to Notepad.exe containing Malicious DLL base address and entry point.<p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-r-9zXrQzUhI/X_WRzAjybxI/AAAAAAAAB0s/J2u1S3XV5IMhIPq8Zf4vMrvNjbT6JXv6wCLcBGAsYHQ/s277/image19.png"><img height="432" src="https://blog.talosintelligence.com/content/images/-r-9zXrQzUhI/X_WRzAjybxI/AAAAAAAAB0s/J2u1S3XV5IMhIPq8Zf4vMrvNjbT6JXv6wCLcBGAsYHQ/w640-h432/image19.png" width="640"></a></p></li><li> Write 122 bytes of shellcode to notepad.exe.<p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-A5YCJUwyyIM/X_WR8VXds1I/AAAAAAAAB00/YxQp9HFBh28b7cQ-_yGS9HT2NpexviGYwCLcBGAsYHQ/s526/image8.png"><img height="132" src="https://blog.talosintelligence.com/content/images/-A5YCJUwyyIM/X_WR8VXds1I/AAAAAAAAB00/YxQp9HFBh28b7cQ-_yGS9HT2NpexviGYwCLcBGAsYHQ/w640-h132/image8.png" width="640"></a></p><br></li><li> Execute the shellcode in Notepad.exe using `CreateRemoteThread` by passing the pointer to structure from step 12 as param. The shellcode calls the entry-point point of the malicious DLL.<p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-gfF4Rv1JtLI/X_WSDOcWZdI/AAAAAAAAB08/d0ZpzJh0qI0EAUYSpodj1jyqE20K2LtAwCLcBGAsYHQ/s635/image3.png"><img height="62" src="https://blog.talosintelligence.com/content/images/-gfF4Rv1JtLI/X_WSDOcWZdI/AAAAAAAAB08/d0ZpzJh0qI0EAUYSpodj1jyqE20K2LtAwCLcBGAsYHQ/w640-h62/image3.png" width="640"></a></p><br> </li></ol><h4>Injected DLL analysis (UAC bypass using two techniques)</h4> <br> It checks if `C:\Windows\Finex` exists. If not, it will drop the following file at path `C:\Users\Public\cde.bat`:<br> <p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-eoVv9VzN5V8/X_WSLSyAhBI/AAAAAAAAB1A/E1ZykEOsJGguXVsHaIIdIC50MEaHpM8GQCLcBGAsYHQ/s1750/image7.png"><img height="332" src="https://blog.talosintelligence.com/content/images/-eoVv9VzN5V8/X_WSLSyAhBI/AAAAAAAAB1A/E1ZykEOsJGguXVsHaIIdIC50MEaHpM8GQCLcBGAsYHQ/w640-h332/image7.png" width="640"></a></p><p> Then, it drops C:\Users\Public\x.bat containing the following content.</p><p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-nmTPrQ_Et6w/X_WSS5XnAMI/AAAAAAAAB1M/LbKA8XzapE4rdRx5hg5bXI3tekELcZd-QCLcBGAsYHQ/s1750/image22.png"><img height="258" src="https://blog.talosintelligence.com/content/images/-nmTPrQ_Et6w/X_WSS5XnAMI/AAAAAAAAB1M/LbKA8XzapE4rdRx5hg5bXI3tekELcZd-QCLcBGAsYHQ/w640-h258/image22.png" width="640"></a></p><br> Then, it drops C:\Users\Public\x.vbs.<br> <p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-etv7g9kbVg4/X_WSuhRNCYI/AAAAAAAAB1Y/h2CkKgljJL08R_AEvL9QXqP_GsQjA9HOQCLcBGAsYHQ/s1174/image9.png"><img height="242" src="https://blog.talosintelligence.com/content/images/-etv7g9kbVg4/X_WSuhRNCYI/AAAAAAAAB1Y/h2CkKgljJL08R_AEvL9QXqP_GsQjA9HOQCLcBGAsYHQ/w640-h242/image9.png" width="640"></a></p><br> Then it drops, C:\Users\Public\Natso.bat.<br> <p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-eRXriUfjNgk/X_WS2u64gwI/AAAAAAAAB1c/6WLewFJu-cE9fkNReOffZawwVNMgxNfBQCLcBGAsYHQ/s1750/image24.png"><img height="318" src="https://blog.talosintelligence.com/content/images/-eRXriUfjNgk/X_WS2u64gwI/AAAAAAAAB1c/6WLewFJu-cE9fkNReOffZawwVNMgxNfBQCLcBGAsYHQ/w640-h318/image24.png" width="640"></a></p><br> Then, it executes `Natso.bat`, which is a "fileless" UAC bypass found by<a target="_blank" href="https://twitter.com/tiraniddo"> James Forshaw.</a><a target="_blank" href="https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"> More details here</a>.<p> If C:\Windows\Finex still doesn't exist (which means the UAC bypass failed), it will update the Nasto.bat and execute it using the code shown below.<br> </p><p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-yAywEjLyFNA/X_WS-GvtxxI/AAAAAAAAB1g/Jh5cSxYRTbApTorzmQvKwCgreWmYKPiBwCLcBGAsYHQ/s1750/image29.png"><img height="376" src="https://blog.talosintelligence.com/content/images/-yAywEjLyFNA/X_WS-GvtxxI/AAAAAAAAB1g/Jh5cSxYRTbApTorzmQvKwCgreWmYKPiBwCLcBGAsYHQ/w640-h376/image29.png" width="640"></a></p><br> This is another UAC bypass technique based on fodhelper.exe. <a target="_blank" href="https://gist.github.com/netbiosX/a114f8822eb20b115e33db55deee6692">More details here</a>. On our test machine, the last bypass was successful, and `C:\Windows\Finex` was successfully created. After that, the DLL deletes the dropped file and exits.<h3>Decrypting and executing Lokibot</h3> <br> After attempting to bypass the UAC, the third-stage DLL will check if `AutoRunKeyFlag` is set. For this DLL, it is not set. It will then jump to code that decrypts the Lokibot executable using decryption keys from the configuration structure. The first two layers are decrypted using `DecryptionKeyA` and `DecryptionKeyB`, and reverses all the data. After that, the final layer is decrypted using the same decryption method used to decrypt resource data at the start of the third stage.<p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-E055snfPwGg/X_WTGolJjXI/AAAAAAAAB1o/oLHabhoL3RMo1gI0Y4tvuwot81pD0LeHQCLcBGAsYHQ/s726/image21.png"><img height="436" src="https://blog.talosintelligence.com/content/images/-E055snfPwGg/X_WTGolJjXI/AAAAAAAAB1o/oLHabhoL3RMo1gI0Y4tvuwot81pD0LeHQCLcBGAsYHQ/w640-h436/image21.png" width="640"></a></p>The DLL contains multiple ways to execute a PE file. The execution method is decided based on the values of ExecutionFlag A, B, C. Their values will lead to the following code for the current configuration, which will decrypt the shellcode from the configuration using DecryptionKeyB, pass it three parameters: pointer to decrypted Lokibot .exe, a pointer to an array of string and a pointer to current command line.<br> <p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-4imXkzV7mh8/X_WTPStRFEI/AAAAAAAAB1w/cRnib3Ip-Ks3_L3ex8ziv7HcgyHhdiydQCLcBGAsYHQ/s864/image15.png"><img height="640" src="https://blog.talosintelligence.com/content/images/-4imXkzV7mh8/X_WTPStRFEI/AAAAAAAAB1w/cRnib3Ip-Ks3_L3ex8ziv7HcgyHhdiydQCLcBGAsYHQ/w550-h640/image15.png" width="550"></a></p><br> The shellcode will create a suspended process using the third parameter as a command line command and injects Lokibot into it using <a target="_blank" href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/analyzing-malware-hollow-processes/">process hollowing</a>.<h2>Conclusion</h2> <br>Threat actors are getting more sophisticated when it comes to hiding their final payload. This dropper uses three stages and three layers of encryption to hide its final payload. The dropper also injects code into a suspended process to bypass UAC and uses process hollowing to execute its final payload. The majority of malware is getting more and more sophisticated. They are constantly improving their social engineering techniques to trick the user into opening malicious attachments and running malicious code. The malware code and its infection techniques is also improving constantly like we have described in this blog. The adversaries combine clever techniques to make detection harder. More than ever it is important to have a multi layered security architecture in place to detect these kinds of attacks. It isn't unlikely that the adversaries will manage to bypass one or the other security measures, but it is much harder for them to bypass all of them. These campaigns and the refinement of the TTPs being used will likely continue for the foreseeable future. <h2>Coverage</h2><p><a target="_blank" href="https://blog.talosintelligence.com/content/images/-NC3pjGMpVKU/X_Wg4mOF4nI/AAAAAAAAB2o/6M4VxWm1QMApa81rqzG8_eHB1THfyHBJQCLcBGAsYHQ/s1999/image6.jpg"><img height="320" src="https://blog.talosintelligence.com/content/images/-NC3pjGMpVKU/X_Wg4mOF4nI/AAAAAAAAB2o/6M4VxWm1QMApa81rqzG8_eHB1THfyHBJQCLcBGAsYHQ/s320/image6.jpg"></a></p><p>Ways our customers can detect and block this threat are listed below.<br></p><p> <br> <b>Advanced Malware Protection</b> (<a target="_blank" href="https://www.cisco.com/c/en/us/products/security/advanced-malware-protection">AMP</a>) is ideally suited to prevent the execution of the malware detailed in this post. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free <a target="_blank" href="http://cisco.com/go/tryamp">here.</a><br> <b>Cisco Cloud Web Security</b> (<a target="_blank" href="https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html">CWS</a>) or Web Security Appliance (<a target="_blank" href="https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html">WSA</a>) web scanning prevents access to malicious websites and detects malware used in these attacks.<br> Network Security appliances such as <b>Next-Generation Firewall</b> (<a target="_blank" href="https://www.cisco.com/c/en/us/products/security/firewalls/index.html">NGFW</a>), Next-Generation Intrusion Prevention System (<a target="_blank" href="https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html">NGIPS</a>), and <a target="_blank" href="https://meraki.cisco.com/products/appliances">Meraki MX</a> can detect malicious activity associated with this threat.<br></p> <br> <a target="_blank" href="https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html">Threat Grid</a> helps identify malicious binaries and build protection into all Cisco Security products.<p> <a target="_blank" href="https://umbrella.cisco.com/">Umbrella</a>, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.</p><p> Additional protections with context to your specific environment and threat data are available from the <a target="_blank" href="https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html">Firepower Management Center</a>.</p><p> Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a target="_blank" href="https://www.snort.org/products">Snort.org</a>.The following SIDs have been released to detect this threat: 56578 and 56577.</p><h2>IOC</h2><h4> <br>Hashes</h4><p> d5a68a111c359a22965206e7ac7d602d92789dd1aa3f0e0c8d89412fc84e24a5 (First stage XLS file)<br> 6b53ba14172f0094a00edfef96887aab01e8b1c49bdc6b1f34d7f2e32f88d172 (2nd stage packed downloader)<br> b36d914ae8e43c6001483dfc206b08dd1b0fbc5299082ea2fba154df35e7d649 (2nd stage unpacked DLL)<br> 93ec3c23149c3d5245adf5d8a38c85e32cda24e23f8c4df2e19e1423739908b7 (3rd Stage DLL)<br> 21e23350b05a4b84cdf5c93044d780558e6baf81b2148fdda4583930ab7cb836 (DLL used to bypass UAC)<br> c9038e31f798119d9e93e7eafbdd3e0f215e24ee2200fcd2a3ba460d549894ab ( Lokibot )</p><h4> URL</h4><p> hxxp://millsmiltinon[.]com/ojHYhkfkmofwendkfptktnbjgmfkgtdeitobregvdgetyhsk/Xehmigm.exe</p><h4> Domains</h4><p> millsmiltinon.com (Hosts 2nd and 3rd Stage)</p><h4> IP</h4> 104.223.143[.]132 (Lokibot C2)</article></body></html> <!--kg-card-end: html--> </div> </section> <div class="social-media-wrapper"> <h5>Share this post</h5> <ul class="social-media-share-list"> <li> <a class="share-facebook" title="Share this on Facebook" data-text="A Deep Dive into Lokibot Infection Chain" data-href="https://blog.talosintelligence.com/a-deep-dive-into-lokibot-infection-chain/" rel="nofollow" target="_blank" href="https://www.facebook.com/sharer.php?u=https://blog.talosintelligence.com/a-deep-dive-into-lokibot-infection-chain/"></a> </li> <li> <a class="share-x" title="Post This" data-text="A Deep Dive into Lokibot Infection Chain" data-href="https://blog.talosintelligence.com/a-deep-dive-into-lokibot-infection-chain/" rel="nofollow" target="_blank" href="https://x.com/share?url=https://blog.talosintelligence.com/a-deep-dive-into-lokibot-infection-chain/"></a> </li> <li> <a class="share-linkedin" title="Share this on LinkedIn" data-text="A Deep Dive into Lokibot Infection Chain" data-href="https://blog.talosintelligence.com/a-deep-dive-into-lokibot-infection-chain/" rel="nofollow" target="_blank" href="https://www.linkedin.com/sharing/share-offsite/?url=https://blog.talosintelligence.com/a-deep-dive-into-lokibot-infection-chain/"></a> </li> <li> <a class="share-reddit" title="Reddit This" data-text="A Deep Dive into Lokibot Infection Chain" data-href="https://blog.talosintelligence.com/a-deep-dive-into-lokibot-infection-chain/" rel="nofollow" target="_blank" href="https://www.reddit/submit?url=https://blog.talosintelligence.com/a-deep-dive-into-lokibot-infection-chain/"></a> </li> <li> <a class="share-email" title="Email This" href="mailto:?body=A Deep Dive into Lokibot Infection Chainhttps://blog.talosintelligence.com/a-deep-dive-into-lokibot-infection-chain/"></a> </li> </ul> </div></article> </div> </div> <div class="col-lg alt-layout-row-dk sidebar" id="side-bar"> </div> </div> </div> </main> <footer id="footer"> <div class="row footer_nav_wrapper"> <div class="col-xl-10 col-12"> <div class="multi-col-list-wrapper"> <ul class="footer-parent-list"> <li class="footer-links-group"> <ul> <li> <h6>Intelligence Center</h6> </li> <li><a href="https://talosintelligence.com/reputation_center">Intelligence Search</a></li> <li><a href="https://talosintelligence.com/reputation_center/email_rep">Email &amp; Spam Trends</a></li> </ul> </li> <li class="footer-links-group"> <ul> <li> <h6>Vulnerability Research</h6> </li> <li><a href="https://talosintelligence.com/vulnerability_info">Vulnerability Reports</a></li> <li><a href="https://talosintelligence.com/ms_advisories">Microsoft Advisories</a></li> </ul> </li> <li class="footer-links-group"> <ul> <li> <h6>Incident Response</h6> </li> <li> <a href="https://talosintelligence.com/incident_response">Talos IR Capabilities</a></li> <li> <a href="https://talosintelligence.com/incident_response">Emergency Support</a> </li> </ul> </li> <li class="footer-links-group"> <ul> <li> <h6>Security Resources</h6> </li> <li><a href="https://talosintelligence.com/software">Open Source Security Tools</a></li> <li><a href="https://talosintelligence.com/categories">Intelligence Categories Reference</a></li> <li><a href="https://talosintelligence.com/secure-endpoint-naming">Secure Endpoint Naming Reference</a></li> </ul> </li> <li class="footer-links-group"> <ul> <li> <h6>Media</h6> </li> <li><a href="https://blog.talosintelligence.com">Talos Intelligence Blog</a></li> <li><a href="https://blog.talosintelligence.com/category/threat-source-newsletter/">Threat Source Newsletter</a></li> <li><a href="https://talosintelligence.com/podcasts/shows/beers_with_talos">Beers with Talos Podcast</a></li> <li><a href="https://talosintelligence.com/podcasts/shows/talos_takes">Talos Takes Podcast</a></li> <li><a target="_blank" href="https://www.youtube.com/channel/UCPZ1DtzQkStYBSG3GTNoyfg/featured">Talos Videos</a></li> </ul> </li> <li class="footer-links-group"> <ul> <li> <h6>Support</h6> </li> <li><a href="https://support.talosintelligence.com">Support Documentation</a></li> </ul> </li> <li class="footer-links-group"> <ul> <li> <h6>Company</h6> </li> <li><a href="https://talosintelligence.com/about">About Talos</a></li> <li><a href="https://talosintelligence.com/careers">Careers</a></li> <li><a target="_blank" href="https://www.cisco.com/c/en/us/products/security/product-listing.html">Cisco Security</a></li> </ul> </li> </ul> </div> </div> <div class="col-xl-2 col-12 connect_social"> <div class="connect-footer-section-wrapper"> <h6>Follow us</h6> <ul> <li> <a target="_blank" href="https://x.com/talossecurity"><div class="footer-media-icon" id="footer-media-icon-x"></div> </a></li> <li> <a target="_blank" href="https://www.youtube.com/channel/UCPZ1DtzQkStYBSG3GTNoyfg/featured"><div class="footer-media-icon" id="footer-media-icon-youtube"></div> </a></li> <li> <a target="_blank" href="https://www.linkedin.com/company/cisco-talos-intelligence-group/"><div class="footer-media-icon" id="footer-media-icon-linkedin"></div> </a></li> </ul> </div> </div> </div> <div class="row"> <div class="col-12 footer_corporate"> <a target="_blank" href="http://tools.cisco.com/security/center/home.x"><img alt="Cisco" src="../assets/images/logo_cisco_white.svg"> </a><p class="copyright"> 漏 2024 Cisco Systems, Inc. and/or its affiliates. All rights reserved. View our <a target="_blank" class="underline" href="http://www.cisco.com/web/siteassets/legal/privacy_full.html">Privacy Policy.</a> </p> </div> </div> </footer> <!-- jQuery first, then Popper.js, then Bootstrap JS --> <script src="https://blog.talosintelligence.com/assets/js/jquery-3.6.0.min.js?v=bd37905eab"></script> <script src="https://blog.talosintelligence.com/assets/js/popper.min.js?v=bd37905eab"></script> <script src="https://blog.talosintelligence.com/assets/js/bootstrap.bundle.min.js?v=bd37905eab"></script> <script src="https://blog.talosintelligence.com/assets/js/date.js?v=bd37905eab"></script> <script src="https://blog.talosintelligence.com/assets/js/prism.js?v=bd37905eab"></script> <script src="https://cdn.jsdelivr.net/npm/ghost-theme-utils@latest/dist/js/ghost-theme-utils.min.js" async defer></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10