LokiBot Impersonates Popular Game Launcher
We discovered a LokiBot variant impersonating a popular game launcher to trick users into executing it on their machines. Further analysis revealed it employs a quirky, installation routine that involves dropping a compiled C# code file.
Technical AnalysisThe infection starts with a file that is supposedly the installer of the Epic Games store. This fake installer was built using the NSIS (Nullsoft Scriptable Install System) installer authoring tool. In this campaign, the malicious NSIS Windows installer used the logo of Epic Games — the development company behind popular games such as Fortnite — to trick users into thinking that it’s a legitimate installer.
Figure 1. File icon of the LokiBot malware installer under the guise of a game installerUpon execution, the malware installer drops two files: a C# source code file and a .NET executable in the “%AppData% directory” of the affected machine.
Figure 2. Screenshot of installer scriptFurther analysis of the .NET executable showed a heavily obfuscated file that contains plenty of junk codes that make reverse-engineering more difficult.
Figure 3. Screenshot showing the main function of the dropped .NET executableThe .NET executable would then read and compile the dropped C# code file, which is named “MAPZNNsaEaUXrxeKm,” within the infected device.
Figure 4. Screenshot of code snippet that shows a portion of the junk code that can be found in the binary (top part), as well as code that shows how the dropped C# code file is read and compiled (bottom part)After compiling the C# code file, the binary would call the EventLevel function present in the C# code file using the InvokeMember function. The called function would decrypt and load the encrypted assembly code embedded inside it.
Figure 5. Screenshot of code showing the binary calling the EventLevel() functionFigure 6. Code snippet that shows how the assembly code would be decrypted This LokiBot sample’s installation routine combines two techniques to evade detection: First, it makes use of a C# source code to evade defense mechanisms that solely target executable binaries. In addition, it also uses obfuscated files in the form of the encrypted assembly code embedded in the C# code file. The final phase of the infection would be the execution of the LokiBot payload. Consistently among the most active infostealers in the wild, these tweaks to its installation and obfuscation mechanisms indicate that LokiBot is not about to slow down in the near future.
Trend Micro SolutionsTrend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack life cycle, allowing it to detect these kinds of attacks even without engine or pattern updates. These solutions are powered by XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense. Indicators of Compromise
|SHA-256||File Type||Detection Name|
|385bbd6916c88636a1a4f6a659cf3ce647777212ebc82f0c9a82dc4aea6b7c06||Encrypted Assembly Code|