LokiBot is using Living Off The Land Technique

May 24, 2022

The malware authors always look how they can keep the malware stay hidden from various security vendors, either by innovating new techniques or techniques which are already being used by some other malware authors. SonicWall threat research team has observed LokiBot is being delivered to the victim’s machine using a Windows Script File for last few weeks. The script file contains a large junk data with malicious code which executes PowerShell script to download malicious VBS script into temp folder. The VBS script is then executed and temp directory is cleaned up to remove malicious traces:

 

The VBS script is highly obfuscated which executes a PowerShell script with obfuscated arguments:

 

The PowerShell script argument contains a loader binary and a URL. The loaded binary is executed by passing the URL as an argument :

 

The loader Dynamic Link Library(DLL) is a .NET compiled binary and code is pretty simple and tiny. The loader is responsible for loading the Loki-Bot binary and if some how initial VBS script execution has failed it will execute it again. It checks for the files with “.vbs” extension in Windows temp folder, if the files are present then the loader copy the VBS script into done.vbs and executes it:

 

The loader code contains many reverse operations to provide an extra layer of protection against security vendors. The loader downloads data from a reversed URL, which is reversed and few non ascii characters are replaced with “A” to get a Dot Net dynamic link library file.

The loader now reverses the argument URL to download  and execute the LokiBot binary:

 

LokiBot is known for stealing credentials from various applications installed on victim’s machine. it communicates with its Command and Control (C&C) server to perform various task on the victim’s machine.

The file is detected by only a few security vendors on popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential:

 

Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file: