The Loki Bot has been observed for years. As you may know, it is designed to steal credentials from installed software on a victim’s machine, such as email clients, browsers, FTP clients, file management clients, and so on. FortiGuard Labs recently captured a PDF sample that is used to spread a new Loki variant. In this blog, we will analyze how this new variant works and what it steals.
The PDF sample
Figure 1. Content of the PDF sample
The PDF sample only contains one page, shown above, which includes some social engineering content to entice users to download and run the malware.
Figure 2. Objects inside the PDF sample
According to the sample content (Figure 2), an annotation object in the sample includes an URI action, where the malware is downloaded.
Add itself to Startup folder
When this malware is executed the very first time, it copies itself to “%AppData%\subfolder”, and renames it as “citrio.exe” in my test enviroment. It then creates a VBS file which can start “citrio.exe”. Figure 3 shows its code. The VBS file is added into the system Start Menu so it can automatically run whenever the system starts. After all these actions are complete, “citrio.exe” is started.
Figure 3. The VBS file in Startup with its code
How the new Loki variant works
All the APIs being called in this malware are hidden, which will be restored before calling. This increases the difficulty for researchers to analyze it. Figure 4 shows an example. After calling the sub_4031E5 function with the hash(C5FA88F1h) and DLL number (0Ah), eax points to the API “CommandLineToArgvW”.
Figure 4. Restoring the hidden API
The author of the malware has written a number of functions for stealing credentials from a victim’s machine. There is an array that is used to store the function pointers. Figure 5 shows part of the function pointers.
Figure 5. Array with function pointers
As you may have noticed, I added the comment behind each function to show you which software it steals credentials from. The malware calls those functions one by one in a loop. Here is the list of most of the software whose credentials can be stolen.
Mozilla Firefox, IceDragon, Safari, K-Meleon, Mozilla SeaMonkey, Mozilla Flock, NETGATE Black Hawk, Lunascape, Comodo Dragon, Opera Next, QtWeb, QupZilla, Internet Explorer, Opera, 8pecxstudios, Mozilla Pale Moon, Mozilla Waterfox.
FTPShell, NppFTP, oZone3D MyFTP, FTPBox, sherrod FTP, FTP Now, NetSarang xftp, EasyFTP, SftpNetDrive, AbleFTP, JaSFtp, Automize, Cyberduck, FTPInfo, LinasFTP, FileZilla, Staff-FTP, BlazeFtp, FTPGetter, WSFTP, GoFTP, Estsoft ALFTP, DeluxeFTP, Fastream NETFile, ExpanDrive, Steed, FlashFXP, NovaFTP, NetDrive, SmartFTP, UltraFXP, FTP Now, FreshFTP, BitKinex, Odin Secure FTP Expert, NCH Software Fling, NCH Software ClassicFTP, WinFtp Client, WinSCP, 32BitFtp, FTP Navigator.
Full Tilt Poker, PokerStars.
File manager software:
NexusFile, FullSync, FAR Manager, Syncovery, VanDyke SecureFX, Mikrotik Winbox.
SSH/VNC client software:
SuperPutty, Bitvise BvSshClient, VNC, KiTTY.
Password manager software:
mSecure, KeePass, EnPass, RoboForm, 1Password.
Email client software:
Mozilla Thunderbird, foxmail, Pocomail, IncrediMail, Gmail Notifier Pro, DeskSoft CheckMail, Softwarenetz Mailing, Opera Mail, Postbox email, Mozilla FossaMail, Internet Mail, MS Office Outlook, WinChips, yMail2, Flaska.net Trojita, TrulyMail.
Notes/Todo list software:
To-Do DeskList, Stickies, NoteFly, Conceptworld Notezilla, Microsoft StickyNotes.
Stealing Microsoft Outlook Credentials and Stickies Pictures
From the above analysis, it is clear that this new Loki variant is capable of stealing credentials from more than 100 different software tools (if installed.) In this section, we are going to present how it steals the credentials of Microsoft Outlook and pictures from Stickies.
To do this, It goes through three sub-keys (for three different versions) in the system registry to get saved email accounts, email addresses, username, password, SMTP, POP3, IMAP related information, and so on.
The three sub-keys are:
Figure 6. Microsoft Outlook saves credentials in the registry
Figure 7. Copying sub-key “POP3 Password”
What you can see in the above figures are the Outlook credentials in the system registry of my test enviroment. The malware is able to read them from here by calling the API “SHQueryValueExW”. All stolen information is stored in a global buffer. See Figure 8.
Figure 8. Stolen Outlook credentials in global buffer
For the Stickies attack, since I didn’t have that software installed I simply modified my test machine to simulate that it was installed. Here we go.
Figure 9 shows part of the code for Stickies. It gets the strings “*.png”, “*.rtf”, “%s\stickies\images” dynamically created before using. The malware steals png and rtf files from the sub-folders “\stickies\images” and “\stickies\rtf” in several system directories, such as %AppData%, %UserProfile%.
Figure 9. Code snippet for Stickies
I created a sub-folder “%AppData%\stickies\images” and put a .png file into it. Loki reads the png file into that global buffer behind the Outlook data. It also collects system information from the victim’s machine, such as computer name, user name, processor property, etc. After all collected information is ready, it sends them to its C&C server using a HTTP POST request, the body of which is the data stolen from the victim’s machine. And the data is delivered in a kind of compression format. Figure 10 shows a screenshot of the packet in WireShark.
Figure 10. Send the data stolen from Outlook and Stickies to the C&C server
The URL “18.104.22.168/~ninjagro/pdfs/QUOTATION.exe” has been rated as Malicious Websites and “http://bit.ly/2ssxQ75” as Phishing by the FortiGuard Webfilter service.
The downloaded exe file has been detected as W32/Injector.DONO!tr and the PDF file as Data/Loki_Phish.A!tr by the FortiGuard Antivirus service.