A new variant of Loki Bot is capable of stealing credentials from over 100 software tools assuming they are installed on an infected machine.The malware’s updated form leverages social engineering techniques to trick a user into running it. Specifically, it masquerades as a PDF sample that Dropbox couldn’t successfully open. A user who clicks on the link for the PDF unknowingly downloads the threat onto their machine.
Content of the PDF sample. (Source: Fortinet)Loki’s author has hidden all the APIs and programmed them so that they restore prior to calling. This functionality raises the difficulty of researchers fully uncovering the threat’s behavior.The developer has also added functions for stealing credentials from more than 100 software tools, with arrays used to store the function pointers. These functions target browsers like Mozilla Firefox and Safari, 1Password and other password managers, file manager software, and a host of other programs.
Array with function pointers. (Source: Fortinet)To further understand the new variant, FortiGuard’s Xiaopeng Zhang and Hua Liu analyzed how Loki steals credentials from Microsoft Outlook and pictures from Stickies. Regarding the former, the malware passes through three sub-keys in the system registry to obtain email addresses, email accounts, usernames, passwords, SMTP/POP3/IMAP configurations, and other settings. As for the latter, it steals .png and .rtf files from the sub-folders “stickiesimages” and “stickiesrtf.”