According to the researcher who goes online by the Twitter handle “d00rt,” samples of the LokiBot malware samples being distributed in the wild are modified versions of the original sample.
I just released an article where are evidences that demonstrate the current distributed #LokiBot infostealer samples were "hijacked" by a third actor. In the repository there are Scripts for extracting the static config and code for disinfecting. https://t.co/CaweOxdwT1
— d00rt (@D00RT_RM) July 6, 2018
The original LokiBot malware was developed and sold by online by a hacker who goes online by the alias “lokistov,” (aks Carter).
The malicious code was initially advertised on many hacking forums for up to $300, later other threat actors started offering it for less than $80 in the cybercrime underground.
According to d00rt there is an explanation for such kind of proliferation online, a threat actor may have “hijacked” the original malware, and even without having a direct access to the original source code he was able to offer other hackers the possibility to set up their own domains for receiving the stolen data.
The expert reversed many pieces of malware and found five references to the C&C server, four of them are encrypted using Triple DES algorithm and one using a simple XOR cipher.
The malware uses the function “Decrypt3DESstring” to decrypt the encrypted strings and get the URL of the command-and-control server.
According to the expert, the Decrypt3DESstring found in the sample he analyzed is different from the ones available in previous variants of the LokiBot malware
The new Decrypt3DESstring function discovered in new samples always return value from the XOR-protected string, instead of Triple DES strings.
“The 3DES protected URLs are always the same in the all of the LokiBot samples of this version,” the researcher wrote.
“Therefore, those URLs are never used. Decrypt3DESstring returns a 3DES decrypted buffer. This should be the ideal behavior of this function, but as was described before, each time Decrypt3DESstring is called, it returns a decrypted url with XOR or encrypted url with XOR.”
The expert explained that anyone with a new sample of LokiBot could use a simple HEX editor to modify the program and add its custom URLs for receiving the stolen data.
“The newest (or the most extended) LokiBot samples are patched. There is a new section called “x” where is a xored url. That url is the control panel url. Keeping that in mind, it would be very easy to create a builder, for creating LokiBot samples with a new control panel and sell it. You could change the xored url with another xored url using a hex editor or with a simple script.” continues the analysis published by the expert.
“There exist a builder in the underground forums which is able to create new
LokiBot samples with a custom control panel. As I explained before, this builder
encrypts the control panel with xor an writes it in the “x” section.
d00rt discovered several LokiBot samples available for sale on the underground market that were patched by using a builder available in the underground forums.
The author of LokiBot malware, meantime, has launched the new version 2.0 and he is offering it on many forums.
The decryption function was also being used to get registry values required for making the malware persistent on a system, but since after patching the decryption function only returns a URL, the new LokiBot samples fails to restart after the device reboots.
The expert also discovered that the modification introduced to patch the malware introduces a couple of bugs in malicious code.
Some strings of LokiBot malware are encrypted and the malware uses the function Decrypt3DESstring to decrypt them. After patching this function, it always returns the same string that is the XORed url which is located at “x” section.
“The following is the registry key name used in persistence:
This registry key is encrypted using 3DES algorithm. When the patched LokiBot tries to get persistence, it uses Decrypt3DESstring to decrypt the registry key name. But because that function is patched, the returned string is the url at “x” section, instead of the registry key.
Further technical details for the threat are reported in the research paper published by the expert on GitHub.