Lokibot Malware

Lokibot is infostealing malware that was first discovered in 2016. Between 2020 and 2021, the malware experienced a significant drop but remains the fourth infostealer malware overall, according to Check Point’s 2023 Cyber Security Report.

Read the Security Report Schedule a Demo

How the Malware Works

Lokibot is trojan, infostealer malware that commonly targets Android phones and Windows devices. As a trojan, its goal is to sneak undetected onto a system by masquerading as a desirable or benign program. It has been distributed via various methods, including phishing emails, malicious websites, SMS, and other messaging platforms. According to Check Point Research, Loki malware has even been delivered preinstalled on Android devices.

Lokibot is modularized with many components that provide different features to the malware operator. The malware has been known to serve malicious ads to gain revenue and provide backdoor access to infected devices.

However, the primary purpose of Lokibot is to act as an infostealer Once it has infected a device, it will look for applications that store login credentials, such as browsers or email programs, and steal and exfiltrate those credentials to the attacker. Lokibot also includes keylogging functionality, enabling it to capture login credentials as they are entered into the system by the user.

The Threat

Since Lokibot is an infostealer, its primary purpose is to steal user credentials from infected machines. The impact of the theft of these credentials depends on their purpose. Successful credential theft could allow an attacker to steal sensitive data, gain access to other systems within an organization’s network or achieve other purposes.

In addition to this core infostealing functionality, Lokibot also incorporates modules that can be used for other purposes. For example, the backdoor functionality built into Lokibot could allow an attacker to remotely control an infected system and use it to download additional malware. After using Lokibot to gain initial access to a system, an attacker could download ransomware or other malware to expand their capabilities and the impact of their attack.

Target Industries

Lokibot is a widely used malware variant, especially after its source code was potentially leaked. This means that many cybercrime groups incorporate it and variants of it into their attacks. With so many groups using it and Lokibot’s wide range of capabilities, it is not targeted at any specific industry or geographic location.

How to Protect Against LokiBot Malware

Some best practices for protecting against Lokibot and managing the impact of Lokibot infections include:

  • Anti-Phishing Protection: Lokibot is a trojan that is often distributed as an attachment to phishing emails and other messages. Anti-phishing solutions that can identify and block malicious content in attachments from reaching the user can protect against infections by Lokibot.
  • Endpoint Security Solutions: Lokibot is a well-known malware variant, and most endpoint security solutions have a signature for it and are familiar with its activities. Deploying an endpoint security solution on all devices and keeping them up to date should help to reduce the risk of infections. Additionally, endpoint security solutions may be able to prevent the download and execution of second-stage malware delivered via Lokibot.
  • Multi-Factor Authentication (MFA): Lokibot’s primary purpose is to identify and steal employees’ login credentials from infected machines. By deploying MFA across the organization, a company can limit the utility of these compromised credentials to an attacker.
  • Zero-Trust Security: A zero trust security strategy limits the access and permissions of user accounts to the minimum required for their role. By implementing and enforcing zero trust principles, an organization can limit the damage that can be done with an account compromised via credentials stolen by Lokibot.
  • Cybersecurity Awareness Training: Lokibot malware is commonly spread via phishing attacks and malicious websites. Cybersecurity training can help employees to identify and properly respond to these threats, limiting the risk of infections.
  • Network Traffic Monitoring: Lokibot can be used as a remote access trojan (RAT), allowing an attacker to remotely control an infected computer to steal data or install malware. Unusual network traffic associated with Lokibot’s use as a RAT can be detected via network traffic analysis.

LokiBot Malware Detection and Protection with Check Point

Lokibot is a versatile, modular malware that can pose a significant threat to an organization. After sneaking into an organization’s network, it can steal user credentials, provide an attacker with remote access to a system, and be used to deploy second-stage malware.

While Lokibot waned in prominence over the last year, it and other malware variants pose a significant threat to corporate cybersecurity. To learn more about the current cyber threat landscape, check out Check Point’s 2022 Cyber Security report.

Check Point’s Harmony Endpoint provides comprehensive protection against Lokibot and other leading malware variants. To learn more about Harmony Endpoint and see its capabilities for yourself, sign up for a free demo today.

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.