CavalierGPT: The First Comprehensive Infostealers AI Bot - Read More →

Created by: lindbergh

Date created: 2022-12-16

Last edited: 2022-12-29

Description: Heatmap of instances of ATT&CK techniques for LokiBot Recent CTI Reporting based on recent public CTI reporting (sources in notes for each technique).

Techniques (27)

  • Archive via Library

    ID: T1560.002

    Tactics: Collection

    Description: Lokibot is capable of compressing the stolen data before sending it to the C&C. This report discusses a sample by using aPLib, a freeware compression library, to compress the stolen data prior to its exfiltration. (https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf)

  • Automated Collection

    ID: T1119

    Tactics: Collection

    Description: https://blog.talosintelligence.com/threat-roundup-0204-0211/

  • Boot or Logon Autostart Execution

    ID: T1547

    Tactics: Persistence, Privilege Escalation

    Description: https://blog.talosintelligence.com/threat-roundup-0204-0211/,

    https://blog.talosintelligence.com/threat-roundup-0204-0211/

  • Browser Information Discovery

    ID: T1217

    Tactics: Discovery

    Description: https://blog.talosintelligence.com/threat-roundup-0204-0211/

  • Credentials from Password Stores

    ID: T1555

    Tactics: Credential Access

    Description: Lokibot is capable of stealing passwords from FTP clients, email clients, and other applications. (https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf),

    https://blog.talosintelligence.com/threat-roundup-0204-0211/

  • Credentials from Web Browsers

    ID: T1555.003

    Tactics: Credential Access

    Description: Lokibot is capable of stealing passwords saved by a variety of browsers (https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf)

  • Data from Local System

    ID: T1005

    Tactics: Collection

    Description: Lokibot looks for specific files and attempts to exfiltrate them. (https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf),

    https://blog.talosintelligence.com/threat-roundup-0204-0211/

  • Exfiltration Over C2 Channel

    ID: T1041

    Tactics: Exfiltration

    Description: Lokibot exfiltrates stolen information via a C&C channel. (https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf)

  • File and Directory Discovery

    ID: T1083

    Tactics: Discovery

    Description: https://blog.talosintelligence.com/threat-roundup-0204-0211/

  • Hidden Files and Directories

    ID: T1564.001

    Tactics: Defense Evasion

    Description: Lokibot creates several files in a hidden directory. It is also capable of moving itself into a hidden directory as part of the persistencesetting process. (https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf)

  • Indicator Removal

    ID: T1070

    Tactics: Defense Evasion

    Description: https://blog.talosintelligence.com/threat-roundup-0204-0211/

  • Input Capture

    ID: T1056

    Tactics: Credential Access, Collection

    Description: https://blog.talosintelligence.com/threat-roundup-0204-0211/

  • Malicious File

    ID: T1204.002

    Tactics: Execution

    Description: Lokibot is usually executed through malicious documents, AutoIt scripts, and Windows installers. (https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf)

  • Obfuscated Files or Information

    ID: T1027

    Tactics: Defense Evasion

    Description: Lokibot is usually protected by at least one obfuscation technique. (https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf),

    https://blog.talosintelligence.com/threat-roundup-0204-0211/,

    https://blog.talosintelligence.com/threat-roundup-0204-0211/

  • OS Credential Dumping

    ID: T1003

    Tactics: Credential Access

    Description: https://blog.talosintelligence.com/threat-roundup-0204-0211/

  • Phishing

    ID: T1566

    Tactics: Initial Access

    Description: Lokibot is usually delivered via email, with mass propagation campaigns. (https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf)

  • Process Hollowing

    ID: T1055.012

    Tactics: Privilege Escalation, Defense Evasion

    Description: It has been reported that Lokibot uses the Process Hollowing technique to inject itself into other processes. (https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf)

  • Process Injection

    ID: T1055

    Tactics: Privilege Escalation, Defense Evasion

    Description: https://blog.talosintelligence.com/threat-roundup-0204-0211/

  • Reflective Code Loading

    ID: T1620

    Tactics: Defense Evasion

    Description: https://ivanvza.github.io/posts/lokibot_analysis/

  • Software Packing

    ID: T1027.002

    Tactics: Defense Evasion

    Description: Lokibot may be protected by at least one form of the packing algorithm. (https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf)

  • Steal Web Session Cookie

    ID: T1539

    Tactics: Credential Access

    Description: https://blog.talosintelligence.com/threat-roundup-0204-0211/

  • System Information Discovery

    ID: T1082

    Tactics: Discovery

    Description: Lokibot has the capability of getting the architecture, screen resolution, operating system version, and other system information. (https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf)

  • System Location Discovery

    ID: T1614

    Tactics: Discovery

    Description: https://ivanvza.github.io/posts/lokibot_analysis/

  • System Network Configuration Discovery

    ID: T1016

    Tactics: Discovery

    Description: Lokibot has the capability of getting the domain name of the computer it infected. (https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf)

  • System Owner/User Discovery

    ID: T1033

    Tactics: Discovery

    Description: Lokibot has the capability of getting the username of a logged-in user. (https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf)

  • Unsecured Credentials

    ID: T1552

    Tactics: Credential Access

    Description: https://blog.talosintelligence.com/threat-roundup-0204-0211/

  • Web Protocols

    ID: T1071.001

    Tactics: Command and Control

    Description: Lokibot uses the HTTP to communicate with the command and control (C&C). (https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf)

infostealers-logo

BE THE FIRST TO KNOW

Get FREE access to Cavalier GPT

Stay informed with the latest insights in our Infostealers weekly report.

Receive a notification if your email is involved in an Infostealer infection.

No Spam, We Promise

BE THE FIRST TO KNOW

Get FREE access to Cavalier GPT

Stay informed with the latest insights in our Infostealers weekly report.

Receive a notification if your email is involved in an Infostealer infection.

No Spam, We Promise