HC3 TLP Clear Analyst Note: LokiBOt Malware – September 29, 2023

Executive Summary

Active since 2015 and among the most prevalent and persistent strains of malware families since 2018, LokiBot has matured over time to target multi-sector industries. Despite its apolitical targeting of critical infrastructure, the malware’s adverse effect on the Healthcare and Public Health (HPH) sector shows its reach. In March 2020, a multi-threat actor spearphishing campaign to spread LokiBot malware with a false World Health Organization trademark image solidified its threat to the HPH sector. In addition to other malware analyses, HC3 reported on this specific cyberattack in a 2020 HC3 Sector Note on LokiBot. The malware has been widely used for years, and because of behavior changes, it takes a lot of effort to monitor. However, there are some best practices for protecting against LokiBot and managing its impact. What follows is an update to the previous HC3 analysis of LokiBot, a timeline of multi-sector targeted applications, detection strategies, sample MITRE ATT&CK techniques, indicators of compromise, and recommended defenses and mitigations against the malware.

Overview

LokiBot was first observed in 2015 for sale on cybercrime forums by the cyber alias “lokistov,” with a sale price of $540 USD for both a stealer and a loader. Named for the Norse mythological shapeshifting god, it became a popular malware choice for threat actors due to its low price and ease of use. After its version 1 source code leaked in 2018, lokistov developed version 2 of the malware, which has better evasion capabilities, as well as expanded keylogger and remote access trojan functionality. As of September 2023, the malware version sells for a mere $80 USD.