CISA yesterday issued a security alert to inform federal agencies and the private sector of a significant increase in the use of LokiBot malware by hackers, since last July.
In particular, CISA stated that the internal platform security (the system intrusion detection EINSTEIN) has detected a number of malicious activities, behind which LokiBot malware is hiding. The sharp increase in LokiBot activity since July, was confirmed to ZDNet and his team Malwarebytes Threat Intelligence.
This is a matter of particular concern, as LokiBot is one of the most dangerous and widespread malware strains currently present in the threat landscape. The LokiBot trojan, which is also known as Loki or Loki PWS, is the so-called "information thief" (infostealer).
In terms of its action, LokiBot infects computers and then uses its built-in capabilities to search for locally installed applications and steal credentials from internal bases data their. In addition, LokiBot can target e-mail clients, browsers, FTP applications and encryption wallets.
However, malware is more than just an infostealer. Over time, LokiBot has evolved and now also comes with a real-time key-logging component to record keystrokes and steal passwords for accounts that are not always stored in the browser's internal database, and a desktop screenshot utility to download documents after they are opened on the victim's computer. In addition, LοkiBot also works as backdoor, allowing hackers to run other pieces of malware on infected servers and possibly scalable attacks.
Malware first appeared in the mid-2010s when it first appeared for sale on hacking forums. Since then, it has been hacked and widely distributed for free for years. He is one of the most popular password "thieves" today. Many hacking groups currently distribute malware during their attacks, using a variety of techniques - from spam emails to cracked installers and boobytrapped torrent files.
SpamHaus ranked LokiBot as the most active command-and-control malware servers (C&C) in 2019. In the same ranking, LokiBot is currently second in the first half of 2020. LokiBot is also ranked third in the AllRun all-time ranking, with the most analyzed malware executives in the sandboxing malware service.
The credentials that hackers steal through LokiBot usually end up in underground markets like Genesis, where LokiBot is the second most popular type of malware traded.
The advice that CISA published yesterday about LokiBot, includes detection and mitigation tips for dealing with malware attacks and infections.
Finally, it is worth noting that LokiBot should not be confused with a similar, now inactive, Android trojans.