CISA: Detections of LokiBot Info-Stealer Are Soaring

Written by

The US government has warned of a major increase in detections of info-stealing malware LokiBot over the past couple of months.

The Cybersecurity and Infrastructure Security Agency (CISA) sounded the alarm on Tuesday, revealing that its Einstein intrusion detection system had spotted a “notable increase” in the use of the malware since July.

“LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an attractive tool for a broad range of cyber-actors across a wide variety of data compromise use cases,” it added.

Also known as Loki PWS, the Trojan malware is designed to steal usernames, passwords, cryptocurrency wallets and other credentials through the use of a keylogger. It can also deploy a backdoor, enabling the installation of additional payloads.

Although it is spread most often by malicious email attachment, users could also be targeted via phishing texts and private messages, or by infected websites.

First discovered in 2016, LokiBot has mainly been used to target Windows and Android users, and in the past has even been used as a banking Trojan and mobile ransomware. Most recently, Trend Micro researchers discovered a version disguised as a launcher for popular gaming title Fortnite.

Gurucul CEO, Saryu Nayyar, argued that the CISA warning shows how cyber-criminals are successfully scaling their business model.

“The fact that LokiBot has been around for over four years and has gained in capability over time is a reflection of how much malicious actors have advanced the state of their art, leveraging the same development models we use in the commercial space,” he added. 

“Fortunately, our security tools have also improved over time. Using a combination of data sources for telemetry, it's possible to analyze events as they happen and identify malicious user or system behaviors. This lets an organization mitigate these attacks before they can cause serious damage.”

CISA recommended a range of best practice steps to mitigate the threat including: prompt patching; use of up-to-date AV; multi-factor authentication; scanning for malicious email attachments; user monitoring; and employee awareness training.

What’s hot on Infosecurity Magazine?