Latest LokiBot malware variant distributed as Epic Games installer

Por Deeba Ahmed em 18/02/2020 no site Hack Head

The new variant of the notorious LokiBot malware is more sophisticated and effective than its previous versions.

Discovered originally in 2015; LokiBot malware is extremely popular among cybercriminals because of its multitasking abilities. The malware is capable of converting itself into full flagged ransomware and harvests almost every type of data from login IDs and passwords to banking data and crypto wallets contents, which it does by using keyloggers that monitor user activities on the device and the browser.

According to Trend Micro researchers, the newly discovered variant of LokiBot malware is being distributed as a popular game launcher for Epic Games, the same developer behind the massively popular online game Fortnite, to trick users so that they execute it on their devices.
Detected as Trojan.Win32.LOKI; this campaign has a rather peculiar installation routine in which a C# code file is dropped to infect the device. The user believes that this file is Epic Games store installer, and executes it without suspecting any foul play. 

As per Trend Micro’s blog post, this installer is created by using the authoring tool called Nullsoft Scriptable Install System or NSIS installer. The NSIS Windows installer uses the original logo of Epic Games for deceiving users, and as soon as the file is executed two more files are dropped.

One of them is a C# source code file while the other is a .NET executable found in the infected device’s “%AppData% directory.” The .NET executable contains so many junk codes that its reverse-engineering becomes extremely difficult. The purpose of this file is to read and compile the C# code file titled MAPZNNsaEaUXrxeKm.


After compilation, the binary activates the EventLevel function from the C# code file via the InvokeMember function, which decrypts and enables the encrypted assembly code already embedded in the file. Afterward, the LokiBot payload is executed. Using the C# source code helps in preventing detection from the device’s defense mechanisms.

Researchers believe that the malware is distributed via phishing emails being sent out in huge numbers to claim as many targets as possible. Nonetheless, the discovery reinstates the fact that LokiBot malware continues to remain the preferred Trojan of scammers and they might continue to tweak it further in the future.

This malware turns itself into ransomware if you try to remove it

By Waqas on October 26, 2017 no site HackRead

IT security researchers at SfyLabs have discovered an Android banking malware called LokiBot that converts itself into a fully fledged ransomware once the targeted victim tries to remove it from the infected device.

The malware has been in the news since June this year, but since its developers keep coming up with additional features, it has become a quite nasty piece of malware stealing personal and financial information from tons of banking apps and other popular apps including Outlook Skype and WhatsApp.

“Combine this with the fact that LokiBot can show notifications which seem to come from other apps, containing, for example, a message that new funds have been deposited to the victim’s account and interesting phishing attack scenarios arise! The phishing notifications use the original icon of the application they try to impersonate. In addition, the phone is made to vibrate right before the notification is shown so the victim will take notice of it. When the notification is tapped it will trigger an overlay attack,” SfyLabs researchers said in a blog post.

Researchers call it “The first hybrid Android malware”

Currently, LokiBot is targeting Android devices running on version 4.0 or later but its capability of stealing data is not limited to apps mentioned above. LokiBot can also steal contact details from a targeted devices, read and send SMS messages, spread itself by spamming the contact list, send victim’s browser history to command and control center and most importantly, its capable of turning itself into ransomware if the victim decides to remove the malware.

“To top it off there is an option to lock the phone preventing the user from accessing it,” researchers added.

It does it by locking the device, encrypting all of its files and demanding a ransom of $70 – $100 in Bitcoin within 48 hours. The ransomware note threatens victims that their “phone is locked for viewing child pornography” and displays links to websites from where the payment can be sent to cybercriminals.

Screenshot of the ransom note (Credit: SfyLabs)

Researchers also noticed that the BTC addresses provided by cybercriminals to send the ransom payments already had transactions worth 1.5 million dollars in BTC. However, it is very unlikely that the actors behind this malware have gained this amount of money using only LokiBot.

Android users are urged not to download third-party apps or unnecessary apps on their device. Moreover, install a reliable mobile security product. As for LokiBot, the full list of apps targeted by this malware is available here.