This week, we are releasing 2 TTPs:
LokiBot is another piece of malware mentioned in CISA's "2021 Top Malware Strains" advisory. The malware is primarily known for stealing user credentials and cryptocurrency wallets. LokiBot can also evade defenses and inject itself into other processes.
At a high level, some of LokiBot's capabilities are:
This TTP was designed to emulate LokiBot's credential harvesting and exfiltration capabilities.
Execute Can this host mitigate procedures used in LokiBot malware?
in Operator on each host in your environment to test if you are vulnerable.
This TTP starts by creating a .hdb file that stores gathered information. It will then go through a list of specific directories and registry keys defined by the LokiBot malware, adding findings to the .hdb file. The TTP will then check to identify if these actions were successful. The TTP determines failure by whether there are contents inside the .hdb file. A .hdb file with more than one line will be considered a failure by the TTP.
Ensure the host's current settings block or at least log access to the 'LokiBot' specific directories and registry keys.
FormBook was one of the 11 pieces of malware listed on CISA "2021 Top Malware Strains". One of FormBook's most notable features is the key logger. A key logger is a sneaky type of malware. You type critical information into your keyboard, convinced no one is looking. In truth, key logging software is constantly logging whatever you enter.
Key loggers are software applications that track your behavior and provide hackers access to your personal information. The program is placed on your computer and records every keystroke. The passwords, credit card details, and websites you use are tracked by monitoring your keyboard strokes. A key logger will then send a log file to the server, where fraudsters await to exploit this sensitive information.
FormBook has many capabilities, but some of the notable ones are:
.xlsx
, .pdf
, .js
, or .exe
file.GetMessage
, PeekMessage
, and SendMessage
.GetClipboardData
.We decided to emulate FormBook's key logging and clipboard access with PowerShell via native calls to WinAPI functions.
Execute Can this host mitigate procedures used in FormBook malware?
in Operator on each host in your environment to test if you are vulnerable.
This TTP creates a key logger function that will import user32.dll to allow access to the native WinAPI. This allows us to read user keystrokes, which we save to our log file. We then create a clipboard function that steals a user's clipboard and appends it to our log file. It will run each of these functions for 5 seconds, and then the TTP will check to identify if these actions were successful. If the log file has data, the TTP will fail. The TTP will pass if the machine's protections blocked execution of these actions.
These attacks are difficult to remediate since they rely on native Windows functionality and tools. Configuring the host's EDRs to block PowerShell execution from specific users or groups can help mitigate these risks. Logging and notifying on calls to WinAPI functions from PowerShell can increase visibility allowing for faster detection when this type of functionality occurs.
Check out the TTP Can this host mitigate procedures used in FormBook malware?
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Kris: https://twitter.com/Xanthonus
Octavia: https://twitter.com/VVX7