LokiBot malware now hides its source code in image files

The LokiBot malware family has been given a significant upgrade with the ability to hide its source code in image files on infected machines. 

Known as steganography, the technique is used to hide messages or codes within various file formats, including .txt, .jpg, .rtf, and some video formats. 

While this practice can be implemented for legitimate purposes, such as the protection of files on intellectual property and copyright grounds, attackers can also embed files with triggers to hide source code and malware functionality. 

The developers of LokiBot have realized the potential of steganography for concealment. Trend Micro researchers Miguel Ang, Erika Mendoza, and Jay Yaneza said this week that a new variant of the malware uses the technique to hide its code.

During recent campaigns, the variant has hidden encrypted binaries inside .png files, found within malicious archive files attached to phishing emails. 

See also: Cyberattacks against industrial targets have doubled over the last 6 months

Trend Micro came across a sample in a phishing email sent to a company in Southeast Asia. The sample phishing email contained a Microsoft Word .doc attachment containing two objects, a Microsoft Excel 97-2003 Worksheet and a package labeled ‘package.json.’ A scan on VirusTotal uncovered other, similar samples containing steganographic elements. 

If a malicious file is opened, a script will install the malware as a .exe file in a temporary folder, alongside a .jpg file containing LokiBot source code. 

“One characteristic of the image file that we found interesting is that it can actually be opened as an image,” the researchers note. “However, it also contains data that LokiBot references in its unpacking routine.’

screenshot-2019-08-07-at-10-59-13.png

The malware’s loader will search for a particular string — or “marker” — within the image file, which begins the decryption process. Standard decryption, such as the AES ciphers, is not used; instead, the researchers say the malware uses its “own method of decryption” instead.

CNET: Huawei ban: Full timeline on how and why its phones are under fire

The decrypted content is then unpacked and loaded in memory, launching the malware on the target system. 

“One likely reason for this particular variant’s reliance on steganography is that it adds another layer of obfuscation — wscript (the VBS file interpreter) is used to execute the malware instead of the actual malware executing itself,” Trend Micro says. “Since the autostart mechanism uses a script, future variants can choose to change the persistence method by modifying the script file on the fly.”

LokiBot is able to steal information, act as a keylogger, and can establish backdoors in Windows systems to both maintain persistence and send stolen data to the attacker’s command-and-control (C2) server. 

TechRepublic: Slack’s new security features give enterprise admins more control over data

The researchers say that the new strain of LokiBot has been spotted in phishing emails sent to members of at least 56 organizations. 

“As one of the most active information stealers in the wild today, LokiBot shows no signs of slowing down,” Trend Micro says. “The updates to its persistence and obfuscation mechanisms show that LokiBot is still being updated and will likely remain a threat to be dealt with in the near future.”

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


LokiBot malware now hides its source code in image files 1
About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews



bitcoin
Bitcoin (BTC) $ 42,212.00
ethereum
Ethereum (ETH) $ 2,861.83
cardano
Cardano (ADA) $ 2.24
tether
Tether (USDT) $ 1.00
binance-coin
Binance Coin (BNB) $ 341.26
xrp
XRP (XRP) $ 0.922892
solana
Solana (SOL) $ 130.56
usd-coin
USD Coin (USDC) $ 1.00
polkadot
Polkadot (DOT) $ 28.83
dogecoin
Dogecoin (DOGE) $ 0.205658
USD
EUR
GBP
bitcoinBitcoin (BTC)
$ 42,212.00
ethereumEthereum (ETH)
$ 2,861.83
tetherTether (USDT)
$ 1.00
bitcoin-cashBitcoin Cash (BCH)
$ 507.47
litecoinLitecoin (LTC)
$ 148.02
bitcoinBitcoin (BTC)
35.963,36
ethereumEthereum (ETH)
2.438,19
tetherTether (USDT)
0,851970
bitcoin-cashBitcoin Cash (BCH)
432,35
litecoinLitecoin (LTC)
126,11
bitcoinBitcoin (BTC)
30,801.46
ethereumEthereum (ETH)
2,088.23
tetherTether (USDT)
0.729685
bitcoin-cashBitcoin Cash (BCH)
370.29
litecoinLitecoin (LTC)
108.01

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021
Cryptocurrency Exchanges
Cryptocurrency Exchanges and the Plague of Scams and Bans
June 29, 2021
What Role Do Cryptocurrencies Play In The Era Of Ransomware Attacks?
June 9, 2021

Blockchain/Cryptocurrency Questions and Answers

Beginner’s Guide to Investing in Cryptocurrency
August 9, 2021
Short-Sell Cryptocurrency
How to Short-Sell Cryptocurrency: A Brief Overview
July 17, 2021
Klaytn
What Is Klaytn (KLAY) And How Does It Work?
July 16, 2021
Cryptocurrencies
Our Crypto Roundup Interview Asks- Do Cryptocurrencies Have a Future?
July 15, 2021
Solana
What Is Solana (SOL) And How Does It Work?
June 26, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin42,130 0.15 % 1.65 % 12.72 %
Ethereum2,841.3 0.80 % 3.47 % 17.10 %
Cardano2.230 0.81 % 5.80 % 5.89 %
Tether0.9986 0.03 % 0.08 % 0.23 %
Binance Coin340.74 0.23 % 5.31 % 17.19 %
XRP0.9222 0.12 % 2.99 % 14.28 %
Solana130.43 0.36 % 8.11 % 23.32 %
USD Coin1.000 0.43 % 0.20 % 0.02 %
Polkadot30.87 2.19 % 17.29 % 10.73 %
Dogecoin0.2054 0.06 % 3.27 % 15.10 %

bitcoin
Bitcoin (BTC) $ 42,212.00
ethereum
Ethereum (ETH) $ 2,861.83
cardano
Cardano (ADA) $ 2.24
tether
Tether (USDT) $ 1.00
binance-coin
Binance Coin (BNB) $ 341.26
xrp
XRP (XRP) $ 0.922892
solana
Solana (SOL) $ 130.56
usd-coin
USD Coin (USDC) $ 1.00
polkadot
Polkadot (DOT) $ 28.83
dogecoin
Dogecoin (DOGE) $ 0.205658