Credential and infostealing malware targets Android and Windows Devices
The US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued an alert detailing the use of LokiBot malware to steal sensitive information. CISA’s Alert (AA20-266A) notes an increase in LokiBot activity since July 2020.
CISA recommends that all federal, state, local, tribal, territorial government, private sector users take steps to mitigate LokiBot and other malware attacks.
LokiBot malware is a Trojan used to steal credentials and harvest other sensitive information from compromised devices. It targets both Windows and Android users. Hackers infect electronic devices through email attachments, malicious websites, SMS text messages, and other private messages.
“Throughout this period, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected persistent malicious LokiBot activity,” says CISA
In June 2020, LokiBot malware was used in a global phishing email campaign which impersonated the World Health Organization (WHO) The emails attempted to trick recipients into opening a malicious email attachment. The attack leveraged CVE-2017-11882 (Office Equation Editor). Messaging in the email offered COVID-19 tips and information. Once compromised the infostealer malware harvested FTP credentials, email passwords, passwords saved in web browsers.
This malware was first seen in 2015. LokiBot is also referred to as Lokibot, Loki PWS, and Loki-bot. The malware is commonly used to steal credentials through the use of a keylogger. It can also establish a backdoor to compromised machines allowing the attackers to deploy more malware.
LokiBot has been reported as:
- A fake launcher for Fortnite
- In spear phishing attacks
- As an Android banking Trojan
It has even been found to be preinstalled on Android devices.
CISA recommends implementing best practices to defend against LokiBot malware as well as other cyber attacks.
- Keep all antivirus applications kept up to date
- Patch operating systems with the latest security patches
- Disable file and printer sharing services
- Require the use of multi-factor (MFA) authentication on all apps and devices
- Require the use of strong, hard-to-guess passwords
All software downloads should be scanned for malware
The remainder of CSI’s recommendations can be found in the advisory.
Users should be educated about opening email attachments or clicking on links in emails even when they believe they know the sender. Read our guide and how to detect a phishing email to help understand how malicious emails work.