First advertised as an information stealer and keylogger when it first appeared in underground forums, LokiBot has added various capabilities over the years. Recent activity has seen the malware family abusing Windows Installer for its installation and introducing a new delivery method that involves spam mails containing malicious ISO file attachments. Our analysis of a new LokiBot variant shows that it has improved its capabilities for staying undetected within a system via an updated persistence mechanism and the use of steganography to hide its code.
We first became aware of this specific LokiBot variant (detected by Trend Micro as TrojanSpy.Win32.LOKI.TIOIBOGE) when we alerted a Southeast Asian company subscribed to Trend Micro’s Managed Detection and Response (MDR) service regarding a possible threat — an email with an attachment— allegedly from a confectionery company based in India. An alert from the Virtual Analyzer of the company’s Trend Micro Deep Discovery Inspector, along with the suspicious nature of the email, led us to notify the company regarding the potentially malicious threat, after which Trend Micro Research went further into investigation and analysis.
Source: Trend Micro