Lokibot is infostealing malware that was first discovered in 2016. Between 2020 and 2021, the malware experienced a significant drop but remains the fourth infostealer malware overall, according to Check Point’s 2023 Cyber Security Report.
Lokibot is trojan, infostealer malware that commonly targets Android phones and Windows devices. As a trojan, its goal is to sneak undetected onto a system by masquerading as a desirable or benign program. It has been distributed via various methods, including phishing emails, malicious websites, SMS, and other messaging platforms. According to Check Point Research, Loki malware has even been delivered preinstalled on Android devices.
Lokibot is modularized with many components that provide different features to the malware operator. The malware has been known to serve malicious ads to gain revenue and provide backdoor access to infected devices.
However, the primary purpose of Lokibot is to act as an infostealer Once it has infected a device, it will look for applications that store login credentials, such as browsers or email programs, and steal and exfiltrate those credentials to the attacker. Lokibot also includes keylogging functionality, enabling it to capture login credentials as they are entered into the system by the user.
Since Lokibot is an infostealer, its primary purpose is to steal user credentials from infected machines. The impact of the theft of these credentials depends on their purpose. Successful credential theft could allow an attacker to steal sensitive data, gain access to other systems within an organization’s network or achieve other purposes.
In addition to this core infostealing functionality, Lokibot also incorporates modules that can be used for other purposes. For example, the backdoor functionality built into Lokibot could allow an attacker to remotely control an infected system and use it to download additional malware. After using Lokibot to gain initial access to a system, an attacker could download ransomware or other malware to expand their capabilities and the impact of their attack.
Lokibot is a widely used malware variant, especially after its source code was potentially leaked. This means that many cybercrime groups incorporate it and variants of it into their attacks. With so many groups using it and Lokibot’s wide range of capabilities, it is not targeted at any specific industry or geographic location.
Some best practices for protecting against Lokibot and managing the impact of Lokibot infections include:
Lokibot is a versatile, modular malware that can pose a significant threat to an organization. After sneaking into an organization’s network, it can steal user credentials, provide an attacker with remote access to a system, and be used to deploy second-stage malware.
While Lokibot waned in prominence over the last year, it and other malware variants pose a significant threat to corporate cybersecurity. To learn more about the current cyber threat landscape, check out Check Point’s 2022 Cyber Security report.
Check Point’s Harmony Endpoint provides comprehensive protection against Lokibot and other leading malware variants. To learn more about Harmony Endpoint and see its capabilities for yourself, sign up for a free demo today.
Advanced Network Threat Prevention