Technical Details. LokiBot—also known as Lokibot, Loki PWS, and Loki-bot—employs Trojan malware to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials.
LokiBot is deployed as a botnet, where a number compromised systems installed with the malware connect with command-and-control (C&C) servers in order
Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%
Loki is an info-stealer malware that was first detected on February 2016. This malware first targeted Android systems and its capabilities
Newly Discovered Infostealer Attack Uses LokiBot … The FortiGuard Labs SE team identified a new malicious spam campaign
Loki Boatnet First advertised as an information stealer and keylogger when it appeared in underground forums in 2015, Loki Botnet has added various capabilities over the years and has affected many users worldwide. LokiBot is deployed as a botnet, where a number compromised systems installed with the malware connect with command-and-control (C&C) servers in order to send stolen data and receive commands from the botnet operator.
Loki Botnet has been distributed via phishing campaigns that include malicious attachments or embedded URLs . More recently it has also been found to hide its source code in image files , using the technique known as steganography. Loki Botnet installs itself via a downloaded zipped file, which is deleted (in order to avoid detection) once the system has been infected. The malware steals credentials from the compromised system. The stolen data is compressed and exfiltrated via an HTTP channel to a C&C panel.
In this research, we conducted an analysis of the URL structure of the Loki Botnet C&C panels and how these have evolved over time, concentrating on the C&C panel entry points. In this paper the ‘entry point’ refers to the web access point used by the botnet operator to manage the botnet. This is basically a PHP web-based C&C panel component that gives the botnet operator administrator capabilities. We also highlight the gate component that is used as an entry point for the bots to communicate and transmit data. The gate can be considered one of the primary components of the C&C panel design because it provides gateway and filtering functionalities. In the majority of cases the gate component resides on the same server as the C&C panel, but it can be configured or changed accordingly.
The aim of this research is to build intelligence for detection and prevention solutions including security analytics.
LokiBot C&C panel: characteristics
In this section we look at the characteristics of the LokiBot C&C panel. A number of pointers are provided below:
- The Loki Botnet C&C panel is designed to use HTTP protocol as its communication mechanism.
- The C&C panel is entirely developed using PHP. The LokiBot C&C panel v3.0 base is built using PHP, which is used in conjunction with C++ and C# (the malware is written in these languages).
- The Loki Botnet C&C panel consists of two main components: the main administrative panel used by the botnet operator to administer the botnet, and the gate component that provides filtering capabilities so that data received from the compromised systems can be examined and bots can be verified. Other components are developed to ease the handling and management of stolen data from the compromised machines. (The C&C panel components are discussed in detail in the next section.)
- The data exfiltrated from the compromised endpoints is sent to the C&C panel in a compressed format over HTTP. The data is received by the gate component, which validates the authenticity of the data by checking the identity of the bot before the data is processed by the backend database and retrieved by the main C&C panel for the botnet operator to use it.
- Loki Botnet transmits data in zipped format and data log files are decrypted using a custom encryption and decryption algorithm that is used in conjunction with a Base-64 encoding/decoding mechanism.
- The Loki Botnet C&C panel can be deployed with anti‑automation mechanisms to restrict account cracking attempts over HTTP. For that, a CAPTCHA is supported by the C&C panel. Figure 1 shows an example of a Loki Botnet C&C panel with CAPTCHA implementation; Figure 2 shows an example of a Loki Botnet C&C panel without CAPTCHA implementation.
LokiBotnet C&C panel: components
The basic structure of the LokiBotnet C&C panel with all the related components is outlined in Table
|1||index.php||Main landing page of the C&C panel from where access is granted to the botnet operator.|
|2||gate.php||Intermediate proxy component that acts as an interface between the main C&C panel and the bots running on the compromised machines.|
|3||functions.php||Supporting functions such as error_reporting, base64Decrypt and traffic_decrypt are defined in this component.|
|4||install.php||Web component used to effectively deploy the C&C panel before spreading infections. The component installs the backend database, etc. to handle the stolen data, providing search capability, configuration tasks for the loader and others.|
|5||settings.php||This component configures the settings of the C&C panel including error handling, authentication, authorization, database configuration and others.|
|6||auth.php||This is the module deployed to configure the authentication for the C&C panel including how the gate authenticates itself to the C&C panel before storing stolen data in the database.|
|7||viewer.php||This component provides viewing capability to the botnet operator in the C&C panel so that data management is easy.|
|8||converter.php||This component provides converting capabilities to handle data in more efficient ways. For example, NetScapeToJson is used to convert cookies to JSON format.|
|9||search.php||This component provides a search capability to enable the botnet operator to search for and find specific data from the dump of stolen information stored in the backend database.|
|10||loader.php||This component is used to load the stolen data from the infected machines that is transferred by the gate component into the database and keep updating the records. This component also loads data from the database to the main C&C panel.|
|11||logs/||Folder used to store logs about stolen data and system-related errors.|
|12||tmp/||Temporary folder used to store the modules that are not required after installation of the C&C panel.|
|13||stealer/||Folder used to store a text file that defines the rules for the bot to steal data from specific URLs and domains. The file is passed to the bot running on the compromised system.|
|14||assets/||Folder used to store modules related to GeoIP, CSS for effective managing and laying out of data in the C&C panel.|
The Loki Botnet C&C panel uses a gate component which is written in PHP. Listing shows how the Loki Botnet gate component extracts the source IP of the bot from which the connection is initiated. The extracted and analysed headers from the incoming HTTP traffic are presented below:
- X-Forwarded-For (or X-Forwarded-IP) shows that the source IP address is behind a proxy or a load balancer.
- HTTP_CF_CONNECTING_IP shows that the source IP address is behind the Cloudflare Content Delivery Network (CDN).
- X-ProxyUser-IP shows that the source IP address is behind Google Services.
- X-Real-IP shows that the source IP address is behind a load balancer.
Empirical analysis: C&C deployments
We looked into 1,960 different LokiBot C&C panel URLs deployed in real time. All the deployments of the C&C panels were using PHP as the main component. The complete URLs comprised both domain names and IP addresses. Generally, IP addresses are used in C&C panels to avoid DNS queries so that DNS traffic can be avoided from the compromised endpoint. This way, the endpoints can connect directly with the C&C panel by initiating the connection to IP address. The data analysis was performed on the primary C&C panel component, i.e. the main entry PHP web page that is used by the botnet operator to administer the botnet.
Table 2 highlights the C&C components utilizing the PHP page as the entry point for the botnet operators to manage the LokiBotnet instances in the real world. Table 3 highlights the percentage layout of the LokiBotnet C&C entry points deployed in real time.
- Approximately 95% of Loki Botnet deployments in real time use ‘PvqDq929BSx_A_D_M1n_a.php’ as the main entry point.
- The ‘admin’ in the string ‘PvqDq929BSx_A_D_M1n_a.php’ is represented as ‘_A_D_M1n_a.php’ to avoid standard-level detections that analyse basic URL structure.
- The other C&C entry points – ‘desk.php’, ‘sand.php’, ‘omc.php’, ‘uMc.php’, etc. – represent just 5% of the dataset chosen for analysis, which shows that an obfuscated string is preferred in the resource naming for the C&C entry point.
- The majority of the LokiBot C&C deployments are configured over HTTP without TLS, i.e. a non‑HTTPS channel is used for communication. As a result, all the communication can be seen over an unencrypted channel. LokiBot does provide HTTPS support but it has to be configured explicitly.
- From the compromised machines, the stolen data transmitted by the bot is received by the gate component first, which analyses the data to verify the authenticity of the bot. Once the bot identity is established, the stolen data is transmitted to the backend storage so that it can be analysed and accessed in the C&C panel.
Zip Password : www.masterscyber.com
Conducting an empirical analysis of Loki Botnet C&C structure helps to build intelligence that can be used to enhance the detection and prevention efficacy of security solutions. It also helps to unearth the advancements in techniques used by the attackers to trigger infections and steal data.