It turns out that most samples of the LokiBot malware existence distributed inward the wild are modified versions of the original sample, a safety researcher has learned.
Targeting users since 2015, LokiBot is a password in addition to cryptocoin-wallet stealer that tin harvest credentials from a multifariousness of pop spider web browsers, FTP, poker in addition to electronic mail clients, equally good equally information technology direction tools such equally PuTTY.
The original LokiBot malware was developed in addition to sold past times online alias "lokistov," a.k.a. "Carter," on multiple undercover hacking forums for upwards to $300, precisely later on another hackers on the nighttime spider web also started selling same malware for a lesser cost (as depression equally $80).
It was believed that the source code for LokiBot was leaked which mightiness convey allowed others to compile their ain versions of the stealer.
However, a researcher who goes past times alias "d00rt" on Twitter found that individual made lilliputian changes (patching) inward the original LokiBot sample, without having access to its source code, which allow other hackers define their ain custom domains for receiving the stolen data.
Hackers Are Actively Spreading "Hijacked" Versions of LokiBot
The malware has a function, called "Decrypt3DESstring," that it uses to decrypt all the encrypted strings in addition to acquire the URL of the command-and-control server.
The researcher analyzed the novel LokiBot samples in addition to compared them amongst the former original sample, in addition to flora that Decrypt3DESstring component division inward novel samples has been modified inward a agency that it e'er provide value from the XOR-protected string, instead of Triple DES strings.
"The 3DES protected URLs are e'er the same inward the all of the LokiBot samples of this [new] version," the researcher said.
"In addition, those URLs are never used. Decrypt3DESstring returns a 3DES decrypted buffer. This should hold out the ideal deportment of this function, precisely equally was described before, each fourth dimension Decrypt3DESstring is called, it returns a decrypted url amongst XOR or encrypted url amongst XOR."These changes allowed anyone amongst a novel sample of LokiBot to edit the program, using a elementary HEX editor, in addition to add together their ain custom URLs for receiving the stolen data.
However, it is non clear why the original malware writer also stored the same C&C server URL inward a string encrypted past times the less secure XOR cipher, fifty-fifty when it was unnecessary.
Influenza A virus subtype H5N1 lot of unlike LokiBot samples currently distributed inward the wild in addition to available for sale on the undercover marketplace at a really depression cost convey also been patched inward the same agency past times several hackers.
Meanwhile, the original writer of LokiBot has already launched its novel version 2.0 in addition to selling it online on many forums.
The decryption component division was also existence used to acquire registry values required for making the malware persistent on a system, precisely since after patching the decryption component division exclusively returns a URL, the novel LokiBot samples fails to restart after the device reboots.
To know to a greater extent than technical details most the novel samples, you lot tin caput on to the inquiry newspaper [PDF] published past times the researchers on GitHub.
