The new variant of the notorious LokiBot malware is more sophisticated and effective than its previous versions.
Discovered originally in 2015; LokiBot malware is extremely popular among cybercriminals because of its multitasking abilities. The malware is capable of converting itself into full flagged ransomware and harvests almost every type of data from login IDs and passwords to banking data and crypto wallets contents, which it does by using keyloggers that monitor user activities on the device and the browser.
According to Trend Micro researchers, the newly discovered variant of LokiBot malware is being distributed as a popular game launcher for Epic Games, the same developer behind the massively popular online game Fortnite, to trick users so that they execute it on their devices.
Detected as Trojan.Win32.LOKI; this campaign has a rather peculiar installation routine in which a C# code file is dropped to infect the device. The user believes that this file is Epic Games store installer, and executes it without suspecting any foul play.
As per Trend Micro’s blog post, this installer is created by using the authoring tool called Nullsoft Scriptable Install System or NSIS installer. The NSIS Windows installer uses the original logo of Epic Games for deceiving users, and as soon as the file is executed two more files are dropped.
One of them is a C# source code file while the other is a .NET executable found in the infected device’s “%AppData% directory.” The .NET executable contains so many junk codes that its reverse-engineering becomes extremely difficult. The purpose of this file is to read and compile the C# code file titled MAPZNNsaEaUXrxeKm.
After compilation, the binary activates the EventLevel function from the C# code file via the InvokeMember function, which decrypts and enables the encrypted assembly code already embedded in the file. Afterward, the LokiBot payload is executed. Using the C# source code helps in preventing detection from the device’s defense mechanisms.
Researchers believe that the malware is distributed via phishing emails being sent out in huge numbers to claim as many targets as possible. Nonetheless, the discovery reinstates the fact that LokiBot malware continues to remain the preferred Trojan of scammers and they might continue to tweak it further in the future.