GitHub Repo

Analytics Story: Lokibot

Date: 2025-09-30 ID: d8db6b83-85b9-40f1-a6bc-28f6c6e3d487 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Lokibot is a prevalent information-stealing Trojan that primarily targets Windows and Android devices to pilfer sensitive data, including usernames, passwords, cryptocurrency wallets, and banking information. Detection often hinges on identifying its characteristic behaviors and network communications. It is commonly distributed via phishing emails containing malicious attachments (e.g., Office documents, RAR files) or through compromised websites. Once infected, Lokibot employs keylogging to capture credentials and exfiltrates stolen data to its command-and-control (C2) servers, often using HTTP with a distinct User-Agent string like "Mozilla/4.08 (Charon; Inferno)". Suspicious network traffic, unexpected system activity, or the presence of its specific C2 communication patterns are strong indicators of compromise. Antivirus and endpoint detection solutions are crucial for identifying and mitigating Lokibot infections.

Why it matters

Lokibot's detection narrative often begins with the initial compromise, typically through a user opening a malicious attachment from a phishing email or visiting a compromised website. Once executed, the malware establishes persistence and begins its data-gathering operations, often employing keylogging to capture credentials and other sensitive information. Its presence might first be flagged by endpoint detection and response (EDR) solutions observing unusual process behavior, such as vbc.exe or other legitimate processes making unexpected network connections. Network monitoring tools can then identify suspicious outbound traffic, particularly HTTP requests to known Lokibot command-and-control (C2) servers, often characterized by specific User-Agent strings or patterns. Furthermore, the exfiltration of stolen data to these C2 infrastructures provides a critical detection point, allowing security teams to identify and respond to the compromise before significant data loss occurs. Antivirus signatures and behavioral analysis also play a role in identifying the Lokibot executable itself or its attempts to modify system configurations.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Access LSASS Memory for Dump Creation LSASS Memory TTP
Create Remote Thread into LSASS LSASS Memory TTP
Detect Credential Dumping through LSASS access LSASS Memory TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Executables Or Script Creation In Temp Path Masquerading Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Web Browsers Anomaly
Scheduled Task Deleted Or Created via CMD Scheduled Task TTP
Sqlite Module In Temp Folder Data from Local System TTP
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token Anomaly
Windows Chromium Browser with Custom User Data Directory Virtualization/Sandbox Evasion Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows DLL Module Loaded in Temp Dir Ingress Tool Transfer Hunting
Windows Executable in Loaded Modules Shared Modules TTP
Windows Hunting System Account Targeting Lsass LSASS Memory Hunting
Windows Non-System Account Targeting Lsass LSASS Memory TTP
Windows Process Execution in Temp Dir Create or Modify System Process, Match Legitimate Resource Name or Location Anomaly
Windows Scheduled Task Created Via XML Scheduled Task Anomaly
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Resource Name or Location TTP
Windows Unsecured Outlook Credentials Access In Registry Unsecured Credentials Anomaly
Windows Unsigned DLL Side-Loading In Same Process Path DLL TTP
Windows Unusual Intelliform Storage Registry Access Credentials In Files Anomaly
Windows Unusual Process Load Mozilla NSS-Mozglue Module CMSTP Anomaly
Windows Visual Basic Commandline Compiler DNSQuery DNS TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4703 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 1