Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. Lokibot

Lokibot

Lokibot is a malware designed to collect credentials and security tokens from an infected machine. Lokibot has also been used to establish backdoors in enterprise environments.[1][2]

ID: S0447
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 14 May 2020
Last Modified: 18 May 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Lokibot has used HTTP for C2 communications.[1]
Enterprise T1555 Credentials from Password Stores

Lokibot has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients.[1]
.003 Credentials from Web Browsers

Lokibot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.[1]
Enterprise T1041 Exfiltration Over C2 Channel

Lokibot has the ability to initiate contact with command and control (C2) to exfiltrate stolen data.[3]
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Lokibot has the ability to copy itself to a hidden file and directory.[1]
Enterprise T1056 .001 Input Capture: Keylogging

Lokibot has the ability to capture input on the compromised host via keylogging.[3]
Enterprise T1027 Obfuscated Files or Information

Lokibot has obfuscated strings with base64 encoding.[1]
.002 Software Packing

Lokibot has used several packing methods for obfuscation.[1]
Enterprise T1055 .012 Process Injection: Process Hollowing

Lokibot has used process hollowing to inject into legitimate Windows process vbc.exe.[1]
Enterprise T1082 System Information Discovery

Lokibot has the ability to discover the computer name and Windows product name/version.[3]
Enterprise T1016 System Network Configuration Discovery

Lokibot has the ability to discover the domain name of the infected host.[3]
Enterprise T1033 System Owner/User Discovery

Lokibot has the ability to discover the username on the infected host.[3]
Enterprise T1204 .002 User Execution: Malicious File

Lokibot has been executed through malicious documents contained in spearphishing e-mails.[4]

Groups That Use This Software

ID Name References
G0083 SilverTerrier

[5]

References

  1. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
  2. Cheruku, H. (2020, April 15). LOKIBOT WITH AUTOIT OBFUSCATOR + FRENCHY SHELLCODE. Retrieved May 14, 2020.
  3. Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020.
  1. Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019.
  2. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.