Monday, July 17, 2017

Below the noise of Petya - Loki Bot Credential Stealing Malware

In late June 2017, Wapack Labs identified a malicious email targeting a Ukrainian FI (Financial Institution) to deliver a credential stealing malware called Loki Bot. This incident happened at the same time as the Petya/NotPetya Ransomware.

Loki Bot samples and C2’s were reported as being Petya/NotPetya ransomware. Further confusion resulted when AV detections began identifying Loki Bot as Petya/NotPetya. Loki Bot is sold in underground Tor marketplaces and can steal passwords from browsers, FTP/SSH applications, email accounts and crypto-coin wallets. Wapack Labs was able to sinkhole malicious Loki Bot C2 domains for further analysis. 

This report discusses the misattribution of Loki Bot, along with technical details of analyzed Loki Bot samples including analysis regarding the sinkholed domains and indicators of compromise.

We normally don't publish analysis in its entirety. My team has requested that we post this analysis on the blog for broader situational awareness.