It turns out that most of the naturally distributed LokiBot malware samples are modified versions of the original sample, a security researcher has learned.
For users by 2015, LokiBot is a password thief and who can collect cryptocurrency credentials from a variety of popular web browser, FTP, poker and email client, as well as technology management tools such as PuTTY.
The original LokiBot malware was developed and sold by the alias “lokistov” online, or “Carter”, on several underground hacking forums up to $ 300, but later other hackers began selling the same malware. at a lower price (as low as $ 80).
It was believed that the source code of LokiBot had been leaked, which would have allowed others to compile their own versions of the thief.
However, a researcher who makes the alias “d00rt” on Twitter has discovered that someone has made minor changes (patch) to the original LokiBot example, without access to his source code, which allows hackers to define their own custom domains to receive stolen data.
Hackers actively propagate “hacked” versions of LokiBot
The researcher found that the position of malware on the C & C server, where the stolen data was to be sent, was dropped into five program points, four of which are encrypted using the Triple DES algorithm and one with an algorithm simple XOR encryption.
The malware has a function, called “Decrypt3DESstring”, which it uses to decode all encrypted strings and get the URL of the command and control server.
The investigator analyzed the new LokiBot samples and compared them to the old original sample and found that the Decrypt3DESstring function in new samples was changed to always return the value of the XOR protected string to the original sample. place of Triple DES ropes.
“The URLs protected by 3DES are always the same in all LokiBot examples of this [new] version,” the researcher explains.
“In addition, these URLs are never used Decrypt3DESstring returns a 3DES. Questo buffer should be decrypted the ideal behavior of this function, but as described above, whenever it is called Decrypt3DESstring, returns a URL with XOR decrypted or URL encrypted with XOR. ”
These changes allowed anyone with a new LokiBot sample to modify the program, using a simple HEX editor, and add their own custom URLs to receive the stolen data.
However, it is not clear why the original malware vendor also stored the same C & C server URL in a string that was encrypted by less secure XOR encryption, even when it was not necessary.
Many different samples of LokiBot currently distributed in kind and available for sale on the underground market at very low prices have also been patched in the same way by several hackers.
Meanwhile, the original author of LokiBot has already launched its new version 2.0 and sells it online on many forums.
The decoding function was also used to obtain the registry values needed to make the malware persistent on a system, but since after applying the decode function only returns a URL, the new LokiBot samples do not restart after the restarting the device.
For more technical details on the new samples, you can consult the research paper [PDF] published by the researchers on GitHub.