Lokibot Malware exploits spotted in the wild

September 20, 2019

 SonicWall Capture Labs Threats Research Team has spotted Lokibot malware attacks in the wild. This malware is delivered through spam emails . Lokibot is an info stealer and tries to steal credentials stored in registry, files and browser.

It also reads sensitive data of Google chrome, Firefox, Internet Explorer. It tries to connect to attacker controller server over HTTP and tries to POST the stolen information from the victim’s computer.

Infection Cycle

User is lured into opening malicious attachment in spam email. This attachment is lokibot malware which upon execution steals sensitive user data like username password in browser and registry.

This malware shows following behavior :

  • Tries to read sensitive data of: LinasFTP, Mozilla Firefox, Google Chrome, QtWeb Internet Browser, Internet Explorer / Edge.
  • Reads installed programs by enumerating the SOFTWARE registry key.
  • Trying to read sensitive data of web browsers like Firefox, Google Chrome, Internet Explorer
  • Trying to read sensitive data from ftp applications through registry like LinsaFTP
  • Trying to read sensitive email data from Microsoft Outlook


The malware sends the information to attacker-controlled server []

The malware has embedded executable stored as hex formatted string.

It also downloads file from hxxp://[filename].exe

Sonicwall Capture Labs provides protection against this threat with the following signature:

  • Lokibot.XS
  • Lokibot.XS_2
  • LokiMD
  • LokiBot.DN
  • Lokibot.SI

This threat is also detected by SonicWALL Capture ATP w/RTDMI