On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory cautioning federal agencies and the private sector about a significant rise in the use of LokiBot malware by wicked threat actors since July 2020.
CISA said that its in-house security platform (the EINSTEIN Intrusion Detection System) has spotted tenacious malicious activity traced back to LokiBot infections.
The July increase in LokiBot activity seen by the agency was also confirmed by the Malwarebytes Threat Intelligence team, which said that they’ve also experienced a similar increase in LokiBot infections over the past three months.
This is cause for serious concern as LokiBot is one of today’s most perilous and prevalent malware strains. It works by blighting computers and then using its built-in competences to search for locally installed apps and retrieve credentials from their internal databases.
Nevertheless, the malware is far more than a mere infostealer. Across time, LokiBot progressed and now also comes with a real-time key-logging element to take over keystrokes and steal passwords for accounts that aren’t always stowed in a browser’s internal database, and a desktop screenshot utility to seize documents after they’ve been unlocked on the victim’s computer.
Moreover, LokiBot also works as a backdoor, letting hackers run other bits of malware on infected hosts, and possibly intensify attacks.
The malware began in the mid-2010s when it was first offered for sale on subversive hacking forums. Since then, the LokiBot malware has been reproduced and generally disseminated for free for years, becoming one of today’s most popular password stealers, chiefly among groups of low- and medium-skilled threat actors.
Numerous groups are presently distributing the malware, through a wide variety of methods, from email spam to fractured installers and boobytrapped torrent files.