Malware Analysis of Loki-BOT Credential Stealer
•Download as PPTX, PDF•
0 likes•105 views
The document discusses the Loki malware which steals credentials by exploiting Microsoft Word macros. It begins by describing how a phishing attack could initiate by sending an email with a malicious Word file attachment. The macro would download and run Loki, which is able to bypass antivirus detection. Loki then unpacks itself further to load additional functionality for stealing credentials stored in browsers like Firefox and decrypting them using stolen encryption keys. It also installs a keylogger to steal passwords. The stolen credentials are sent to the Loki command and control server for the attackers to access. The document provides recommendations such as verifying email authenticity and not storing credentials or logging in as an administrator to help prevent credential theft by malware like Loki
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Malware Analysis of Loki-BOT Credential Stealer
Similar to Malware Analysis of Loki-BOT Credential Stealer (20)
Recently uploaded
Recently uploaded (20)
Malware Analysis of Loki-BOT Credential Stealer
- 1. Stealing Credentials Malware And More Eran Shimony
- 3. whoami Eran Shimony – eran.shimony@cyberark.com Researcher at CyberArk Malware reverse engineer StarCraft II player “Boozer#2774"
- 4. Catch a fish
- 5. Phishing Attack • Send email with word file attachment Run Loki Bypass Anti Virus Steal Credentials Send passwords to C&C
- 8. Loki-BOT Discovered in 2015 Steals credentials from around 80 programs, including: Chrome, Mozilla, Outlook, Putty, etc… Sold for 70$ per license, 300$ originally
- 9. Loki source code leakage Source code (V1) at: https://github.com/Chiggins/malware_sources/tree/master/LokiRAT For educational proposes only
- 10. Malware Analysis-Static Analysis Look for suspicious imports or strings Read the assembly code Packed?
- 11. Malware Analysis-Dynamic Analysis Open Wireshark Run Process Monitor Debug with Ida Pro or such Unpack executable
- 12. Phishing Attack • Send email with word file attachment Run Loki • Word runs malicious macro that downloads and runs Loki Bypass Anti Virus Steal Credentials Send passwords to C&C
- 13. How AVs work Scans static information Looks for weird looking strings Looks for suspicious usage of API calls Tries to unpack executable
- 14. Import Table Resolution between module name to API Name Resolution between API name to address Determined on compile time
- 15. A look at the table
- 16. What do we have here
- 17. Runtime import table Scans committed memory Hash function name Call API
- 18. A look back
- 19. Phishing Attack • Send email with word file attachment Run Loki • Word runs malicious macro that downloads and runs Loki Bypass Anti Virus Steal Credentials Send passwords to C&C • Unpack code • Load additional functionality
- 20. Lets Mine
- 21. Stealing from the fox Checks if Mozilla is installed Picking up login.json and key3.db from C:UsersjohnAppDataRoamingMozillaFirefoxProfilesm3qzv49s.default Files are encrypted
- 22. Decrypting credentials Loads nss3.dll Calls several APIs to decrypt key3.db Uses key3.db to decrypt login.json
- 24. How does is look like
- 25. Master Password Encrypts the encryption keys Uses user generated password But we have a keylogger installed…
- 27. Phishing Attack • Send email with word file attachment Run Loki • Word runs malicious macro that downloads and runs Loki Bypass Anti Virus Steal Credentials Send passwords to C&C • Unpack code • Load additional functionality • Decrypt encrypted credentials • Install a keylogger
- 28. Looking at the C&C You can access the C&C at http://ewued[.]tk/nutmeg/fre[.]php
- 29. Looking at the C&C By entering the IKhvySO directory
- 30. Server-Status
- 31. Phishing Attack • Send email with word file attachment Run Loki • Word runs malicious macro that downloads and runs Loki Bypass Anti Virus Steal Credentials Send passwords to C&C • Unpack code • Load additional functionality • Decrypt encrypted credentials • Install a keylogger • Communicate with control server • Upload stolen credentials
- 32. Recommendations Always verify the email authenticity. Buddha The root of suffering is attachment
- 33. Recommendations Do not login as Administrator.
- 34. Recommendations Don’t Store Credentials.
- 35. Questions?
Editor's Notes
- - Talk about the hyped subjects - Maybe give a quote about the number of passwords stolen daily
- - Ask the crowed
- - Created in seconds
- - That payload could be anything. - Question if they understand what this code to. - Maybe add obfuscated command?
- - Originally written in C ++ - Ask why is it so cheap
- - Speak about what we in LABS did to analyze it - We saw the malware trending a lot lately - Add why is it in assembly - Give the IPhone analogy about packed executable – the sender sands the IPhone in a different Box. The AV is the custom guy that wants to catch the package Like the AV wants to catch the malware - Anti virus kind of does the first bullet
- - Recorded Network activates - Monitor file access or registry - Explain why do we debug/run it
- - Explain the virus want to escape the AV , so it will fuck up the AV analysis
- - Does it to all programs - Reduce noise, don’t try to access directories that do not exist, for AV processes
- - Short explanation about login.json and key3.db - Speak about that key3.db holds encrypted keys - Emphasis that fact you do not need to admin to read decrypt the current logged in user
- - short explanation about login.json and key3.db - that tool is not made by myself, there 10 other different tools that do the same
- - Emphasis on the importance of not being administrator - Masterkey sha-1 algorithm is not good, does only one hash function instead of multiple which is the standard - Could add the fact that a GTX 1080 processer can do 1.4 billion hash calculation in a second - In order to install a keylogger you must be admin
- - short explanation about login.json and key3.db
- - short explanation about login.json and key3.db