Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Lokibot
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Lokibot
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Lokibot

Lokibot is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. Lokibot can also create a backdoor into infected systems to allow an attacker to install additional payloads.(Citation: Infoblox Lokibot January 2019)(Citation: Morphisec Lokibot April 2020)(Citation: CISA Lokibot September 2020)
ID: S0447
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 14 May 2020
Last Modified: 11 Oct 2021

Techniques Used
Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Lokibot has utilized multiple techniques to bypass UAC.(Citation: Talos Lokibot Jan 2021)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Lokibot has used HTTP for C2 communications.(Citation: Infoblox Lokibot January 2019)(Citation: Talos Lokibot Jan 2021)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Lokibot has used PowerShell commands embedded inside batch scripts.(Citation: Talos Lokibot Jan 2021)

.003 Command and Scripting Interpreter: Windows Command Shell

Lokibot has used cmd /c commands embedded within batch scripts.(Citation: Talos Lokibot Jan 2021)

.005 Command and Scripting Interpreter: Visual Basic

Lokibot has used VBS scripts and XLS macros for execution.(Citation: Talos Lokibot Jan 2021)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Lokibot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.(Citation: Infoblox Lokibot January 2019)
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Lokibot has the ability to copy itself to a hidden file and directory.(Citation: Infoblox Lokibot January 2019)
Enterprise T1070 .004 Indicator Removal: File Deletion

Lokibot will delete its dropped files after bypassing UAC.(Citation: Talos Lokibot Jan 2021)
Enterprise T1056 .001 Input Capture: Keylogging

Lokibot has the ability to capture input on the compromised host via keylogging.(Citation: FSecure Lokibot November 2019)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Lokibot has used several packing methods for obfuscation.(Citation: Infoblox Lokibot January 2019)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Lokibot is delivered via a malicious XLS attachment contained within a spearhpishing email.(Citation: Talos Lokibot Jan 2021)

Enterprise T1055 .012 Process Injection: Process Hollowing

Lokibot has used process hollowing to inject itself into legitimate Windows process.(Citation: Infoblox Lokibot January 2019)(Citation: Talos Lokibot Jan 2021)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Lokibot embedded the commands schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I inside a batch script.(Citation: Talos Lokibot Jan 2021)

Enterprise T1204 .002 User Execution: Malicious File

Lokibot has tricked recipients into enabling malicious macros by getting victims to click "enable content" in email attachments.(Citation: TrendMicro Msiexec Feb 2018)(Citation: Talos Lokibot Jan 2021)
Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

Lokibot has performed a time-based anti-debug check before downloading its third stage.(Citation: Talos Lokibot Jan 2021)

Groups That Use This Software
ID Name References
G0083 SilverTerrier

(Citation: Unit42 SilverTerrier 2018)

References

  1. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
  2. Cheruku, H. (2020, April 15). LOKIBOT WITH AUTOIT OBFUSCATOR + FRENCHY SHELLCODE. Retrieved May 14, 2020.
  3. DHS/CISA. (2020, September 22). Alert (AA20-266A) LokiBot Malware . Retrieved September 15, 2021.
  4. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  5. Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020.
  6. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
  7. Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.