LokiBot, a longstanding credential-stealing malware, has reemerged in a sophisticated campaign that employs JScript email attachments to infiltrate systems and exfiltrate sensitive data. This latest operation combines traditional phishing methods with advanced evasion techniques, underscoring the persistent threat posed by this malware family.
Initially introduced in 2015 by cybercriminals known as “lokistov” and “carter,” LokiBot’s source code was leaked in 2018, leading to numerous variants with enhanced capabilities. These include targeting credentials from over a hundred applications, such as web browsers, cryptocurrency wallets, email clients, and FTP tools.
In the current campaign, attackers distribute phishing emails containing malicious JScript files. When executed, these scripts utilize Windows Script Host to run obfuscated code, which decodes and executes a Base64-encoded PowerShell script. This PowerShell script decrypts a .NET assembly payload and loads it directly into memory, bypassing traditional file-based detection mechanisms.
The .NET assembly employs process injection techniques, specifically targeting legitimate Windows processes like aspnet_compiler.exe. By injecting malicious code into these trusted processes, LokiBot operates stealthily, reducing the likelihood of detection by security software.
Once active, LokiBot harvests credentials from various applications and compresses the stolen data for transmission to a remote command-and-control server. This exfiltration process enables attackers to gain unauthorized access to sensitive accounts and information, posing significant risks to both individuals and organizations.
Security researchers have observed that this campaign meticulously constructs each stage to minimize exposure and ensure the malware’s persistence. The use of obfuscation, in-memory execution, and process injection reflects a strategic effort to evade detection and analysis.
The resurgence of LokiBot highlights the evolving tactics of cybercriminals who blend established malware with modern evasion techniques. Organizations must remain vigilant, implementing robust email filtering, endpoint protection, and user education to defend against such multifaceted threats.
