Researchers found out that the majority of the LokiBot malware samples being spread in the wild are actually hijacked versions of the original malware.
LokiBot malware targets users since 2015. The malware is attempting to steal passwords and cryptocoin-wallets from a range of web browsers, File Transfer Protocol, Poker and email clients, and IT administration tools, including PuTTY and others.
The online alias Lokistov, also known as Carter developed the original version of the LokiBot malware which was sold on hacking forums for couple hundreds of dollars. Later, the malware was available on the underground forums for as low as $80. As some sources indicate, the source code for the original LokiBot malware was leaked and other hackers was able to compile their own versions of the malware.
According to a security researcher, known as d00r on Twitter, someone has adjusted and patched the original LokiBot sample. The change allowed other hackers to find out their custom domains for gathering the kidnapped information.
As a result, the adjusted LokiBot versions are actively distributed on the Internet.
In addition, d00r also noted that the command and control server location of the original LokiBot sample has been stored at multiple locations in the application. Four of the locations are encrypted via Triple DES algorithm and the rest by using XOR cipher.
LokiBot applies the Decrypt3DESstring feature which allows you to decrypt all the strings and receive the location of the C2 server. This function in the adjusted LokiBot samples has also been modified. As a result, value from the Triple DES strings is return from the string which is protected by a simple XOR.
Because of these adjustments, anyone who has a modified version of the malware can edit the application via a simple HEX editor, as well as add their own custom addresses in order to receive the data.
“The 3DES protected URLs are always the same in the all of the LokiBot samples of this [new] version. In addition, those URLs are never used. Decrypt3DESstring returns a 3DES decrypted buffer. This should be the ideal behavior of this function, but as was described before, each time Decrypt3DESstring is called, it returns a decrypted url with XOR or encrypted url with XOR.”
There are range of different LokiBot samples patched in the same way by a number of hackers. They are all available on the underground forums and markets at a very low price.
In addition, the original LokiBot malware has been also updated. The new version 2.0 is available on many underground forums.
It is worth mentioning that the decryption feature can also be used to gather registry values in order to make the LokiBot malware more persistent. However, once patched, the decryption feature only returns a URL address. In addition, the adjusted LokiBot versions are not able to restart after the system reboot.
GitHub has recently published the paper where you can find out more technical details about the hijacked LokiBot malware samples.