The LokiBot Android Trojan was first seen in February 2016 and is considered one of the first instances where malware could infect devices and settle inside the core Android operating system processes. LokiBot used this as an anti-detection technique to go undetected longer and carry out operations with root privileges. The Trojan has the capability to steal various content from the device, disable notifications, intercept communications, and exfiltrate data. In December 2016, researchers discovered a new variant of LokiBot that targets Android operating systems’ core libraries. The infection process changed to yield better results in anti-detection and avoid blacklisting by security companies. LokiBot infects users when they install malicious apps from third-party app stores.

The apps contain an exploit to elevate the malware’s privileges. The February 2016 version targets the native Android “system_server” and the December variant modifies a native system library and loads one of the Trojan’s components. The main purpose of LokiBot is to display unwanted ads. You can remove LokiBot by reinstalling the entire operating system.LokiBot is trojan-type malware designed to infiltrate systems and collect a wide range of information. Note that this virus targets the Windows and Android operating systems. LokiBot typically infiltrates systems without users’ consent – it is distributed via spam emails (Windows OS), various private messages (SMS, Skype, etc.), and malicious websites.

LokiBot locks the screen and displays a message accusing the victim of viewing child pornography and demanding ransom; it also encrypts data on the device. Examining LokiBot’s code, researchers discovered that it uses weak encryption and doesn’t work properly; the attack leaves unencrypted copies of all files on the device, only under different names, so restoring the files is relatively simple. However, the device screen is still locked, and the malware creators ask for about $100 in Bitcoin to unlock it. But you don’t have to oblige: After rebooting the device in safe mode, you can strip the malware of administrator rights and delete it. To do so, you first need to determine which version of Android you have:

  • Select Settings.
  • Select the General tab.
  • Select the device.
  • Find the line Android version — the numbers below it indicate your OS version

To enable safe mode on a device with Version 4.4 to 7.1, do the following:

  • Press and hold the power button until a menu appears with the option Power off or Disconnect power source.
  • Press and hold Power off or Disconnect power source.
  • In the Turn on safe mode menu that appears, click OK.
  • Wait for the phone to reboot.

Owners of devices with other versions of Android should look online for information about how to enable safe mode for their particular phone. Unfortunately, not everyone knows about this method of killing the malware: LokiBot victims have already coughed up nearly $1.5 million. And with LokiBot available on the black market for a mere $2,000, it is likely that the criminals responsible have repaid their investment many times over.

Secure Email Gateway

Recently we came across a spam message from our traps that looked truly odd when viewed from our Secure Email Gateway console, as below:

SEG2

Needless to say, there are several suspicious elements here:

  • The attachment has a .zipx extension
  • The gateway identified the message as a PNG image
  • The image itself resembles a ‘JPG’ icon.
  • The subject line is typical of those we see associated with malware.

So what’s going on here?  Let’s examine the file. The header of the file indicates that it truly is a PNG.

Png_header

The image file can be opened with an image viewer:

ImageViewer

However, the .zipx extension suggests something else is going on here. Let’s look further into the file.

In a PNG file, IEND is supposed to mark the end of the image and is supposed to appear last. But in this file, there is a bunch of data after IEND. If you look at the snippet below, you can see a PK header marker indicating some kind of zip archive, and a filename called RFQ -5600005870.exe.  The PNG format specification appears to allow for such extraneous data, it is up to the application to decide to try and interpret or ignore such data.

PKSection

So, let’s try unzipping it. WinZip and 7-Zip gave errors upon trying to unzip the file, but WinRAR had no such problem, happily extracting the file RFQ -5600005870.exe. Interestingly, if you alter the extension to anything other than zipping or zipx, 7-Zip will also happily extract the .exe file. It seems that some decompression utilities will traverse the whole file looking for suitable staff to unpack. Here’s how the message could have appeared to a user who had WinRAR – clicking the attachment would open up WinRAR for extracting the payload.

EmailwinRAR

Analyzing the extracted .exe file indicates that it consists of multiple stages, with the first stage executable compiled with Visual Basic.

Initialstage

This first stage function is to decrypt the main payload into the memory and execute it using a common technique called Process Hollowing, where a new process is created in a suspended state, its memory is unmapped and the malicious code replaces it.

Dumping the decrypted new process from memory, we end up with the main payload, as below.

Mainpayload

Some interesting strings in the malware body start to give a hint of what this malware does.

Strings

Further analysis of the sample indicates that it is the well-known LokiBot information-stealing Trojan. LokiBot is a multi-purpose modular trojan that attempts to steal passwords and other information from browsers, mail, FTP clients and other applications, as well as a raft of other functions. LokiBot is freely available in the underground markets where it can be bought quite cheaply – $300 can get you some password-stealing capability.

Lokibot

LokiBot’s availability means it is widely used, and over the past year we have been seeing many spam messages with attached LokiBots, but never before one where the payload is hidden inside a PNG file. The attacker likely used the PNG format to hide the executable from inspection by the email scanning gateway. The giveaway is the .zipx extension. If a user happened to have WinRAR installed and received such a message, then clicking on the attachment would fire up WinRAR for the payload exe to be extracted by the user. The upshot is we may all want to inspect those PNG files a little closer.

How did LokiBot infect my computer?

As mentioned above, LokiBot is distributed using spam emails/messages. Note that the email messages do not follow any specific pattern – the only common factor is that all are presented as invoices/bills. In most cases, these trojan-proliferating spam emails are virtually identical – the entire structure (text, alignment, etc.) is very similar and the malicious attachment is identical. LokiBot can be distributed in any form – compressed executable, MS Office document, and so on – however, the result is identical: after clicking deceptive links and opening malicious attachments, the system is infected with LokiBot. Remember that the main reasons for computer infections are poor knowledge and careless behavior.

How to avoid the installation of malware?

To prevent this situation, be very cautious when browsing the Internet and downloading/installing software. Think twice before opening email attachments. If the file seems irrelevant or has been received from a suspicious/unrecognizable email address, do not open it. These emails should be deleted immediately, without reading. Furthermore, download your software from official sources only, using direct download links. Third-party downloaders/installers often include rogue apps (that can cause chain infections), and thus should never be used. Download Android applications from Google Play only. In addition, be very cautious – we strongly advise you to read the user reviews and see if there are any negative responses (although applications in Google Play are scanned before being posted, there still are some that are classed as a rogue). As mentioned above, having a legitimate anti-virus/anti-spyware suite installed and running is paramount. The key to computer safety is caution. If your computer is already infected with LokiBot, we recommend running a scan with Spyhunter for Windows to automatically eliminate infiltrated malware.

The malicious website used to distribute LokiBot Android version (presenting it as Adobe Flash Player):

LokiBot Android distributed as Adobe Flash Player

An example of deceptive email distributing LokiBot malware:

Email spam promoting LokiBot trojan

Text presented within this email:

Please find our urgent Inquiry and Purchase Order attached. We hope to get a reply today. I have sent this same document twice already without any reply. Our prices are based on your offer to our customer who is also your client We received your contact from your customer’s recommendation for the parts we need_ Can you ship to our country? Please confirm
I have called you severally and written your email without reply_ Can you give me the right person to contact for our inquiries and our Purchase Order?
In the attached order, the items marked yellow can be skipped if not available_ I await your reply with order confirmation.
Thanks & Regards!! Priti Patel
M.R. Organisation (U.S.A) LLC. 800 West Cummings Park Suite 1650, Woburn MA 01801 U.S.A.
Cell: +1-857-389-1763 I Office # 1-339-999-2798, 1-339-999-2799 I Fax # 1-978-945-832 I Email : sales3(iemrocompparts.com www.mrocompparts.com

Example of LokiBot’s process (“objectrecalcine.exe“) in Windows Task Manager:

LokiBot trojan in Windows Task Manager