Can this host mitigate procedures used in LokiBot malware?

This TTP emulates LokiBot malware by adding files and registry keys that hold credentials to a .hdb file.

This week, we are releasing 2 TTPs:

  • Can this host mitigate procedures used in LokiBot malware?
  • Can this host mitigate procedures used in FormBook malware?

Can this host mitigate procedures used in LokiBot malware?

LokiBot is another piece of malware mentioned in CISA's "2021 Top Malware Strains" advisory. The malware is primarily known for stealing user credentials and cryptocurrency wallets. LokiBot can also evade defenses and inject itself into other processes.

At a high level, some of LokiBot's capabilities are:

  • Initial access - malspam campaigns with malicious attachments that typically rely on user execution.
  • Defense evasion - binary obfuscation via packing and base64 encoding of strings.
  • Persistence - copying itself into a hidden file and folder on disk.
  • Credential harvesting - stealing passwords from web browsers and other data sources in various applications.
  • Data collection - capturing user input via key logging.
  • Exfiltration - sending stolen data back to its command and control server.

This TTP was designed to emulate LokiBot's credential harvesting and exfiltration capabilities.

Testing

Execute `Can this host mitigate procedures used in LokiBot malware?` in Operator on each host in your environment to test if you are vulnerable.

This TTP starts by creating a .hdb file that stores gathered information. It will then go through a list of specific directories and registry keys defined by the LokiBot malware, adding findings to the .hdb file. The TTP will then check to identify if these actions were successful. The TTP determines failure by whether there are contents inside the .hdb file. A .hdb file with more than one line will be considered a failure by the TTP.

Remediation

Ensure the host's current settings block or at least log access to the 'LokiBot' specific directories and registry keys.

Can this host mitigate procedures used in FormBook malware?

FormBook was one of the 11 pieces of malware listed on CISA "2021 Top Malware Strains". One of FormBook's most notable features is the key logger. A key logger is a sneaky type of malware. You type critical information into your keyboard, convinced no one is looking. In truth, key logging software is constantly logging whatever you enter.

Key loggers are software applications that track your behavior and provide hackers access to your personal information. The program is placed on your computer and records every keystroke. The passwords, credit card details, and websites you use are tracked by monitoring your keyboard strokes. A key logger will then send a log file to the server, where fraudsters await to exploit this sensitive information.

FormBook has many capabilities, but some of the notable ones are:

  • Initial Access - distribution via phishing email with an attached `.xlsx`, `.pdf`, `.js`, or `.exe` file.
  • Credential Access - attempting to capture keystrokes via these WinAPI functions `GetMessage`, `PeekMessage`, and `SendMessage`.
  • Data collection - collecting data from Window's clipboard using the WinAPI function `GetClipboardData`.
  • Exfiltration - encoding data (base64), then encrypting data (RC4), and finally sending data back to the attacker via HTTP.

We decided to emulate FormBook's key logging and clipboard access with PowerShell via native calls to WinAPI functions.

Testing

Execute `Can this host mitigate procedures used in FormBook malware?` in Operator on each host in your environment to test if you are vulnerable.

This TTP creates a key logger function that will import user32.dll to allow access to the native WinAPI. This allows us to read user keystrokes, which we save to our log file. We then create a clipboard function that steals a user's clipboard and appends it to our log file. It will run each of these functions for 5 seconds, and then the TTP will check to identify if these actions were successful. If the log file has data, the TTP will fail. The TTP will pass if the machine's protections blocked execution of these actions.

Remediation

These attacks are difficult to remediate since they rely on native Windows functionality and tools. Configuring the host's EDRs to block PowerShell execution from specific users or groups can help mitigate these risks. Logging and notifying on calls to WinAPI functions from PowerShell can increase visibility allowing for faster detection when this type of functionality occurs.

Check out the TTP Can this host mitigate procedures used in FormBook malware?

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current

See the latest kill chain and TTP Releases: https://chains.prelude.org

See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu

Reddit: https://www.reddit.com/r/preludeorg/

Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg

Read our blog: https://feed.prelude.org

Watch our live streams: https://www.twitch.tv/preludeorg

Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky

Alex: https://twitter.com/khyberspache

Kris: https://twitter.com/Xanthonus

Octavia: https://twitter.com/VV_X_7

Bart: https://twitter.com/bartimusprimed

Sam: https://twitter.com/heavenraiza

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Can this host mitigate procedures used in LokiBot malware?