Introduction
Lokibot, also referred as Loki-bot or Loki PWS, is a stealer malware first observed by threat researchers in 2022[1] This malware is deployed to collect data from web browsers, email clients, FTP servers, crypto wallets which is then sent back to C2. Lokibot communicates with its C2 via direct web requests, the infected machine sends data to C2 via HTTP Post requests.
The purpose of this article is to demonstrate how FortiEDR detects and prevents execution of this malware and its associated behavior to mitigate associated risk. This article will also demonstrate what FortiEDR Threat Hunting telemetry is generated by execution of this malware if observed in a FortiEDR protected environment and how this telemetry can be leveraged using threat hunting queries to created targeted detections.
The analyzed file was delivered as exe file inside an iso extension archive which was placed in a zip file. The zipped file was sent via phishing email to the victim. it was dropping the final payload which was a Lokibot stealer malware.
Figure 1. Loktibot malware Attack Diagram
Analysis
When the malware loader file is accessed using Windows File Explorer FortiEDR detects the malware file as being malicious under “File Read Attempt” event. The rule triggered for this event is “Malicious File Detected” from the “Execution Prevention” security policy. This file is identified as malicious based on AV signatures from FortiGuard AV engine which is integrated with FortiEDR. Whilst FortiEDR does included this AV style functionality it’s inbuilt ML and sandbox analysis features allow it to detect suspicious executables even without AV signature. The security event generated by detection of the malicious file can be observed in Figure 2 below.
Figure 2. Lokibot detected as malicious file by FortiEDR
The main malware process then spawns a second process with the same executable file. The first process extracts 2nd and 3rd stage payloads and load them into memory reflectively, final payload is loaded in to the second process via process injection. The first malware process moves the original malware EXE file to path ‘C:\Users\IEUser\AppData\Roaming\EB460A\AE331C.exe’. We have observed in the multiple detonations that the last folder path and executable name are always random 6 characters of alpha numeric combination which seem to be based on value in MachineGuid registry key in “SOFTWARE\\Microsoft\\Cryptography”. The filename itself seems to be derived from the computer cryptographic MachineGuid. When the malware creates a copy of itself, the copy has same name when executed again on the same endpoint. On different endpoint it would have different names so the filename is not a reliable indicator between endpoints.
When executed on the same Virtual Machine the file name is same even if detonated again from clean state of virtual machine. This activity can be seen in FortiEDR threat hunting telemetry as shown in Figure 3 below.
Figure 3. Malware moves original file to AppData\Roaming and renames it.
When the malware execution is starting it checks the presence of debugger using Debugger.IsAttached function if debugger is found it will throw exception. This can be observed in the decompiled .NET source code as seen in Figure 4 below.
Figure 4. Debug check function from Lokibot source code
The first malware process then extracts and performs in-memory execution of multiple DLL files. These DLL files are reflectively loaded without being written to disk. There were 3 such DLL files loaded by the malware when it was detonated. These DLL were stage wise loaders of the malware. The malware exe first extracted hadval.dll and loaded in memory then hadval.dll extracted the cruiser.dll file which was archived as gzip. The code of cruiser.dll was extracted and unzipped in memory and then final loaded in memory. The cruiser.dll extracted one more file farinell2.dll which was also loaded in memory by the malware process.
|
File Name |
Hash |
Stages |
|
hadval.dll |
608bea0ef153549552916b3089ac2b7334b07464 |
Stage 1 Payload |
|
cruiser.dll |
682325763a0ec77e0fd475ea3a4021b4651eceac |
Stage 2 Payload |
|
farinell2.dll |
91676423145f4ffaeb569bc531a97798e72fc1d9 |
Stage 3 Payload |
Table 1. The following files are reflectively loaded into the main loader process.
The DLL files were found to be obfuscated with SmartAssembly. SmartAssembly is software provided by company Redgate to protect .NET code[2]. This software claims to protect the source code of .NET application through obfuscation and encryption.
FortiEDR detects this behavior as an “In Memory Execution” security event which was triggered by rules “Executable Format - Bad Executable File Format”, “Malicious File Detected” and “Unconfirmed Executable” from the “Exfiltration Prevention” policy. These events are generated for all three reflectively loaded DLLs. A screenshot of one of these security events is shown in Figure 5 below.
Figure 5. In memory execution of the DLL hadval.dll
The third stage DLL executes the copy of malware file and then inject code into this process. There are multiple functions in the code of final payload to get credentials from multiple browsers and software in the victim machine. The final payload also has code to access Microsoft credential Vault using the vaultcli.dll library. We can observe these functions in the combined Figure 6 below.
Figure 6. Combined screen shot of final payload code showing different functionalities
Following successful execution of these in-memory DLLs, the second malware process begins to communicate with its C2 server (which in our case was 64.227.48[.]212) via HTTP requests. The final payload had hardcoded strings which contained the complete URL for the C2 communication. This can be observed in the following Figure 7 below.
Figure 7. Lokibot C2 URL string found in the final payload of the malware.
The malware sends HTTP POST request to ‘path / ?page_id=<4digits>’. The request contains multiple fields including binary ID (ckav[.]ru) which is used in Lokibot infections, built in Admin account, domain hostname, local admin. For further reference there is article[3] from researchers at Unit42 which has HTTP C2 communication section, this section describes fields in the Lokibot C2 communication in detail. The HTTP communication request can be seen in the Figure 8 below.
Figure 8. C2 communication of Lokibot via HTTP Post request
Some of the analyzed samples were trying to communicate to a different C2 IP address which was (185.246.220[.]60) with http path as ‘/project/five/fre.php’. When we searched in the FortiGuard CTS for this IP address we found that this IP address was tagged as Lokibot C2. FortiGuard CTS also has a telemetry investigation tool that shows traffic activity monitored for a specific IP address. As highlighted in red box in figure below, it is observed that after 2 April 2023 there is increased traffic to this IP address. This can be observed in Traffic Source Report Figure 9 below.
Figure 9. Lokibot C2 Traffic source report from FortiGuard CTS
When we checked the C2 IP address (64.227.48[.]212) in the FortiGuard Central Threat System (CTS), we found this IP address was tagged as known Lokibot C2. This can be seen in Figure 10 below.
Figure 10. C2 URL information from FortiGuard CTS
Conclusion
As highlighted in this article, FortiEDR effectively detects and mitigates the risk of Lokibot execution and subsequent behavior. These protections also apply to the malicious DLL files loaded by Lokibot during it’s execution. In the analysis outlined in this article FortiEDR was configured in ‘Log Only’ mode to demonstrate detection capabilities against all stages of Lokibot execution. Some threat hunting queries are included below to allow organizations to put additional detections in place to identify some behaviors associated with Lokibot execution to assist with triaging potential intrusions.
Proactive defenses, like a modern day EDR solution such as FortiEDR, are the best defense against adaptive malware threats like Lokibot as they employ behavioral detections rather than solely signature based detections like purely AV solutions.
Threat Hunting
The following threat hunting query will return “Library Loaded” events which has file type as .NET DLL and had name used by the Lokibot malware. The DLL files name values may need to be adjusted to detect future campaigns.
Type: ("Library Loaded") AND Target.Executable.File.Path: ("hadval.dll" OR "cruiser.dll" OR "farinell2.dll") AND Target.Executable.File.Type: (".NET DLL")
The following threat hunting query will return “Process Creation” events with the product name and product version used by the Lokibot malware. This product name was found to be unique and there was no legitimate software found with this product name. The ProductName and ProductVersion may need to be adjusted for the future campaign detection.
Type: ("Process Creation") AND Source.Process.ProductName: ("Defune LS" OR "Kolko Cores") AND Source.Process.ProductVersion: ("1.0.0.0")
The following threat hunting query will return the C2 communication initiated by the Lokibot with its current campaign C2 IP address. For future campaign detection the C2 IP address values may need to be changed.
Type: ("Socket Connect") AND RemoteIP: ("64.227.48.212" OR "171.22.30.147" OR "185.246.220.60") AND RemotePort: ("80")
MITRE ATT&CK Mapping
TA0002 - Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1204.002 |
User Execution: Malicious File |
Malware file is sent through phishing email as zip which contains a .iso file which has the final payload |
TA0005 – Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1497 |
Virtualization/Sandbox Evasion |
The analyzed loader has multiple sleep calls some of them are more than 3 minutes. This is normally done for Sandbox Evasion. |
|
T1622 |
Debugger Evasion |
The malware executable checks if Debugger is attached. |
|
T1027.002 |
Software Packing |
Binary is obfuscated in order to avoid reverse engineering and debugging of binary. |
|
T1140 |
Deobfuscate/Decode Files or Information |
SmartAssembly is software used for the obfuscation of |
|
T1620 |
Reflective Code Loading |
The main loader executable load 3 stages of .NET DLLs reflectively in the memory of process. |
|
T1070.004 |
Indicator Removal: File Deletion |
Malware deletes its original executable file after copying it to a different folder. |
TA0006 - Credential Access
|
Technique ID |
Technique Description |
Observed Activity |
|
T1555.003 |
Credentials from Password Stores: Credentials from Web Browsers |
Final payload code has functions that access the Mozilla Firefox login credentials. |
TA0007 - Discovery
|
Technique ID |
Technique Description |
Observed Activity |
|
T1518.001 |
Security Software Discovery |
Checks if the current process is being debugged |
|
T1082 |
System Information Discovery |
The final Lokibot payload retrieves MachineGuid to use to create the filename for created copy of itself and sends computer name, username to C2. |
TA0009 - Collection
|
Technique ID |
Technique Description |
Observed Activity |
|
T1005 |
Data from Local System |
1) The final payload code has functions to steal ftp login credentials |
TA0011 - Command and Control
|
Technique ID |
Technique Description |
Observed Activity |
|
T1071 |
Application Layer Protocol |
The user agent “Mozilla/4.08 (Charon; Inferno)” is used by Lokibot for its C2 communication via HTTP POST request and this user agent also used by other malwares like FareIt Trojan or PonyLoader previously. |
IOCs
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Malicious Executable |
b6914b8fa3d0b67eb6173123652b7f0682cd24fb |
SHA1 Hash |
Installation |
Primary Payload of Lokibot |
2023-04-06 |
|
Malicious DLL |
608bea0ef153549552916b3089ac2b7334b07464 |
SHA1 Hash |
Installation |
Malicious DLL loaded in memory by Primary payload of Lokibot |
2023-04-11 |
|
Malicious DLL |
682325763a0ec77e0fd475ea3a4021b4651eceac |
SHA1 Hash |
Installation |
Malicious DLL loaded in memory by Primary payload of Lokibot |
2023-04-05 |
|
Malicious DLL |
91676423145f4ffaeb569bc531a97798e72fc1d9 |
SHA1 Hash |
Installation |
Malicious DLL loaded in memory by Primary payload of Lokibot |
2023-04-18 |
|
C2 URL |
http[:]//171.22.30[.]147/tony/five/fre.php |
URL |
C2 Communication |
Lokibot sample tries to connect this C2 URL |
2023-04-13 |
|
C2 URL |
http[:]//64.227.48[.]212/?page_id |
URL |
C2 Communication |
Lokibot sample tries to connect this C2 URL |
2023-04-05 |
|
C2 URL |
http[:]//185.246.220[.]60/?page_id |
URL |
C2 Communication |
Lokibot sample tries to connect this C2 URL |
2023-03-30 |
[1] https://unit42.paloaltonetworks.com/lokibot-spike-analysis/
[2] https://www.red-gate.com/products/dotnet-development/smartassembly/
[3] https://unit42.paloaltonetworks.com/lokibot-spike-analysis/
