• Demystify Cyber

Loki Bot

Updated: Mar 23

Demystify Cyber analysed the payload from a malicious email received in September 2021. The attachment dropped malware known as Loki-Bot.


Loki-Bot is a trojan that was first seen in the wild in around 2015/2016, it tends to spread via emails with malicious attachments or links to malicious websites. It is also known to exploit vulnerabilities to gain foothold. Of note to anyone who may play/have children that play, Fortnite, it has also been seen packaged in a faked Fortnite game launcher. Loki-Bot is an information stealer, it drops a keylogger to monitor all key strokes, browser activity, and captures account credentials. The trojan is known to create back doors to allow other malware entry, and the latest iterations since about June / July 2021, include a lot of encryption layers helping the malware to avoid detection.


Be cautious of emails with attachments requesting macros enabled to view or with links

Use up to date reputable AV solution

Keep software/OS patched

Only download genuine software from legitimate vendors

Mitre Att&ck framework

1. Gains privilege

T1134: Access Token Manipulation – it adjusts tokens such as debug function

T1055: Process Injection -injects a PE file and cxreates a process in suspend state, spawns processes

2. Evades detection

T1036: Masquerading – creates new files in the user directory

T1497: Virtualization/Sandbox Evasion – uses sleep cycles to make dynamic analysis challenging and also checks for debugging processes

T1027: Obfuscated Files or Information – has code obfuscation and string decryption

T1027.002: Software Packing – overwrites it’s own PE hedaers

3. Credential theft

T1003: OS Credential Dumping – harvests ftp login creds, harvests browser history and stored passwrods (drops a keylogger for future data theft)

T1552.002: Credentials in Registry – steals email credentials and harvests any Putty info

4. Discovery

T1518.001: Security Software Discovery – scanns for AV. Checks if its being analysed in a asandbox. Tries to detect for a VM

T1033: System Owner/User Discovery – queries the account hodlers name and details

T1083: File and Directory Discovery Enuermates and lists all directories and files

T1082: System Information Discovery- checks for MS Office., checks for which Windows OS version it is

5. Collection

T1114: Email Collection - Steals email credentials

T1005: Data from Local System – harvests frp log in creds, and browser history, archive and stored creds z

T1115: Clipboard Data – steals data storeed in clipboard

6. Comms with C2 and device control

T1573: Encrypted Channel – encrypts comms to make traffic harder to detect

T1105: Ingress Tool Transfer – the malware can download and drop other malware

T1529: System Shutdown/Reboot – can do remote shutdown and reboot and also remotely wipe

Written by A. Turner

© A. Turner 2021 https://www.demystifycyber.com.au/

Provided for general information and education purposes

36 views0 comments

Recent Posts

See All

Demystify Cyber analysed the payload from a malicious email campaign from 9 January 2022 that contains an attachment called Purchase Order, that installs malware called Agent Tesla on the system. BLUF

BLUF First seen in 2016 delivered in malicious emails, Remcos is a remote access trojan (RAT). Remcos has wide ranging function such as monitoring and recording the audio and video of an infected mach

Below is a summarised analysis of an executable sample Demystify Cyber obtained and analysed on 3 October 2021. BLUF RedLine Stealer is a data and credential theft malware sold in underground markets