In late June 2017, Wapack Labs
identified a malicious email targeting a Ukrainian FI (Financial Institution)
to deliver a credential stealing malware called Loki Bot. This
incident happened at the same time as the Petya/NotPetya Ransomware.
Loki Bot
samples and C2’s were reported as being Petya/NotPetya ransomware. Further
confusion resulted when AV detections began identifying Loki Bot as
Petya/NotPetya. Loki Bot is sold in underground Tor marketplaces and can steal
passwords from browsers, FTP/SSH applications, email accounts and crypto-coin
wallets. Wapack Labs was able to sinkhole malicious Loki Bot C2 domains for
further analysis.
This report discusses the misattribution of Loki Bot, along
with technical details of analyzed Loki Bot samples including analysis regarding the sinkholed
domains and indicators of compromise.
We normally don't publish analysis in its entirety. My team has requested that we post this analysis on the blog for broader situational awareness.
Enjoy.
