The document discusses the Loki malware which steals credentials by exploiting Microsoft Word macros. It begins by describing how a phishing attack could initiate by sending an email with a malicious Word file attachment. The macro would download and run Loki, which is able to bypass antivirus detection. Loki then unpacks itself further to load additional functionality for stealing credentials stored in browsers like Firefox and decrypting them using stolen encryption keys. It also installs a keylogger to steal passwords. The stolen credentials are sent to the Loki command and control server for the attackers to access. The document provides recommendations such as verifying email authenticity and not storing credentials or logging in as an administrator to help prevent credential theft by malware like Loki
8. Loki-BOT
Discovered in 2015
Steals credentials from around 80 programs, including: Chrome, Mozilla,
Outlook, Putty, etc…
Sold for 70$ per license, 300$ originally
9. Loki source code leakage
Source code (V1) at:
https://github.com/Chiggins/malware_sources/tree/master/LokiRAT
For educational proposes only
12. Phishing
Attack
• Send email with
word file
attachment
Run Loki
• Word runs malicious
macro that downloads
and runs Loki
Bypass Anti
Virus
Steal
Credentials
Send
passwords
to C&C
13. How AVs work
Scans static information
Looks for weird looking strings
Looks for suspicious usage of API calls
Tries to unpack executable
14. Import Table
Resolution between module name to API Name
Resolution between API name to address
Determined on compile time
19. Phishing
Attack
• Send email with
word file
attachment
Run Loki
• Word runs malicious
macro that downloads
and runs Loki
Bypass Anti
Virus
Steal
Credentials
Send
passwords
to C&C
• Unpack code
• Load additional
functionality
21. Stealing from the fox
Checks if Mozilla is installed
Picking up login.json and key3.db from
C:UsersjohnAppDataRoamingMozillaFirefoxProfilesm3qzv49s.default
Files are encrypted
31. Phishing
Attack
• Send email with
word file
attachment
Run Loki
• Word runs malicious
macro that downloads
and runs Loki
Bypass Anti
Virus
Steal
Credentials
Send
passwords
to C&C
• Unpack code
• Load additional
functionality
• Decrypt
encrypted
credentials
• Install a
keylogger
• Communicate
with control
server
• Upload stolen
credentials
- Talk about the hyped subjects
- Maybe give a quote about the number of passwords stolen daily
- Ask the crowed
- Created in seconds
- That payload could be anything.
- Question if they understand what this code to.
- Maybe add obfuscated command?
- Originally written in C ++
- Ask why is it so cheap
- Speak about what we in LABS did to analyze it
- We saw the malware trending a lot lately
- Add why is it in assembly
- Give the IPhone analogy about packed executable – the sender sands the IPhone in a different Box. The AV is the custom guy that wants to catch the package
Like the AV wants to catch the malware
- Anti virus kind of does the first bullet
- Recorded Network activates
- Monitor file access or registry
- Explain why do we debug/run it
- Explain the virus want to escape the AV , so it will fuck up the AV analysis
- Does it to all programs
- Reduce noise, don’t try to access directories that do not exist, for AV processes
- Short explanation about login.json and key3.db
- Speak about that key3.db holds encrypted keys
- Emphasis that fact you do not need to admin to read decrypt the current logged in user
- short explanation about login.json and key3.db
- that tool is not made by myself, there 10 other different tools that do the same
- Emphasis on the importance of not being administrator
- Masterkey sha-1 algorithm is not good, does only one hash function instead of multiple which is the standard
- Could add the fact that a GTX 1080 processer can do 1.4 billion hash calculation in a second
- In order to install a keylogger you must be admin