Lokibot
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Lokibot has utilized multiple techniques to bypass UAC.(Citation: Talos Lokibot Jan 2021) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Lokibot has used HTTP for C2 communications.(Citation: Infoblox Lokibot January 2019)(Citation: Talos Lokibot Jan 2021) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Lokibot has used PowerShell commands embedded inside batch scripts.(Citation: Talos Lokibot Jan 2021) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Lokibot has used |
||
.005 | Command and Scripting Interpreter: Visual Basic |
Lokibot has used VBS scripts and XLS macros for execution.(Citation: Talos Lokibot Jan 2021) |
||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Lokibot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.(Citation: Infoblox Lokibot January 2019) |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Lokibot has the ability to copy itself to a hidden file and directory.(Citation: Infoblox Lokibot January 2019) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Lokibot will delete its dropped files after bypassing UAC.(Citation: Talos Lokibot Jan 2021) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
Lokibot has the ability to capture input on the compromised host via keylogging.(Citation: FSecure Lokibot November 2019) |
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Lokibot has used several packing methods for obfuscation.(Citation: Infoblox Lokibot January 2019) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Lokibot is delivered via a malicious XLS attachment contained within a spearhpishing email.(Citation: Talos Lokibot Jan 2021) |
Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Lokibot has used process hollowing to inject itself into legitimate Windows process.(Citation: Infoblox Lokibot January 2019)(Citation: Talos Lokibot Jan 2021) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Lokibot embedded the commands |
Enterprise | T1204 | .002 | User Execution: Malicious File |
Lokibot has tricked recipients into enabling malicious macros by getting victims to click "enable content" in email attachments.(Citation: TrendMicro Msiexec Feb 2018)(Citation: Talos Lokibot Jan 2021) |
Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Lokibot has performed a time-based anti-debug check before downloading its third stage.(Citation: Talos Lokibot Jan 2021) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0083 | SilverTerrier |
(Citation: Unit42 SilverTerrier 2018) |
References
- Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
- Cheruku, H. (2020, April 15). LOKIBOT WITH AUTOIT OBFUSCATOR + FRENCHY SHELLCODE. Retrieved May 14, 2020.
- DHS/CISA. (2020, September 22). Alert (AA20-266A) LokiBot Malware . Retrieved September 15, 2021.
- Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
- Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020.
- Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019.
- Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.