The authors behind LokiBot info-stealer turned steganography to add a new layer of obsfuscation, which scientists have discovered in a recent malware variant.
LokiBot is in active development and over the years developers have added a bunch of features to it. It is a popular choice with SilverTerrier, a Nigerian company email compromise (BEC) group.
It may steal browser information from more than 25 different products, check remote tool (SSH, VNC, RDP) and find email and file transfer clients credentials.
Trend Micro researchers discovered that new LokiBot strains use image files to conceal the code needed for their unpackaging routine.
The analysis showed that the image contained the encrypted binary, which needs to be unpacked for different stages, leading to the decryption of LokBot in the RAM of the infected system.
“Before loading the main code, it creates a directory in %appdatalocal% where the Loki binary and the image (same as those in %temp%) will be placed.” – Trend Micro
In order to decrypt the binary, LokiBot is looking for a marker indicating the beginning of the file stored in the image. The result of the decryption is loaded during the different decryption stages.
Malware analysis shows that the developer has used its own decryption method rather than a common block cipher such as AES.
The researchers observe that this strategy allows LokiBot not only to avoid detection but also helps with perseverance on the compromised machine.
The malware is executable using a Visual Basic script, used by the VBS file interpreter, the’ wscript,’ and an autostart registry is currently created, indicating the VB script.
The analysts found in this variant to be peculiar that autostart registration entries are broken when overwritten. This occurs with other samples the researchers have studied.
Although the use of steganography is a news in LokiBot, the updates are not as comprehensive as in previous variants.