Specialists from the US Department of Homeland Security (DHS CISA) Cybersecurity and Infrastructure Protection Agency, warned about the growing activity of the LokiBot info-stealer (aka Loki and Loki PWS; not to be confused with the Trojan of the same name for Android), which has been increasing since July of this year.
Journalists of the edition ZDNet note that Malwarebytes experts also drew attention to the surge in LokiBot activity, confirming the findings of CISA specialists.
LokiBot is one of the most dangerous infostealers at the moment. The Trojan has been known to cybersecurity experts since the mid-2010s. For many years, its source code was distributed on hacker forums completely free of charge, which made LokiBot one of the most popular password stealing tools (mainly among low and medium-skilled cybercriminals). Currently, malware is actively used by several hack groups at once, spreading it using a variety of methods, from email spam to hacked installers and malicious torrent files.
By infecting victims' computers, LokiBot focuses on finding locally installed applications and retrieving credentials from their internal databases. For example, LokiBot steals data from browsers, email clients, FTP applications and cryptocurrency wallets.
Today LokiBot is no longer just an info-stealer, but a more complex threat. Thus, the malware is equipped with a keylogger that intercepts keystrokes in real time (in order to steal passwords that are not always stored in the browser's internal database), and a utility for creating screenshots (usually used to capture documents after they have been opened on a computer victims). In addition, LokiBot also acts as a backdoor, allowing hackers to launch other malware on infected hosts.
The data stolen by LokiBot usually ends up on underground marketplaces. According to company analysts KELALokiBot is one of the premier providers of credentials for the Genesis marketplace.