The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has released a public warning in relation to a marked rise in LokiBot malware activity was recorded in the two months.

Also known as Lokibot, Loki PWS, and Loki-bot, LokiBot initially came to the fore during 2015. it is a complex data stealer, used to obtain credentials and other protected data from victim devices. The malware attacks Windows and Android operating systems and uses a keylogger to spy on usernames and passwords and monitors browser and desktop actions. LokiBot can capture log in credentials from a range of different applications and data sources such as Safari, Chrome, and Firefox web browsers, along with log in details for email accounts, FTP and sFTP clients.

The malware can also record other important data and cryptocurrency wallets and can set up backdoors in infiltrated devices to permit ongoing access, allowing the operators of the malware to deliver additional malicious downloads.

The malware is able to establish a connection with its Command and Control Server and steals data using HyperText Transfer Protocol. The malware has been captured employing a process where it places itself in authentic Windows processes such as vbc.exe to avoid being discovered. The malware can also create a duplicate of itself, which is saved to a hidden file and directory on an infiltrated device.

The malware may be quite simple but that has made it an useful tool for a wide range of cybercriminals and it is being deployed is used in a wide variety of data compromise use attacks.  Since July, CISA’s EINSTEIN Intrusion Detection System tracked a huge spike in LokiBot activity.

LokiBot is typically deployed with a malicious attachment; however, since July, the malware has been distributed shared in a range of different fashions, including links to websites hosting the malware being transmitted via SMS and using text messaging software.

Data stealers have been en vogue since the beginning of the COVID-19 pandemic, particularly LokiBot. In order to tackle attacks like this your group should use a strong e-security solution like SpamTitan and WebTitan

SpamTitan is a robust security solution that attacks phishing emails at source, stopping dangerous messages from landing in mailboxes. WebTitan is a DNS filtering package that is used to manage the web pages that can be accessed on wired and wireless networks, restricting access to web pages that are deployed for phishing and malware delivery.

WebTitan and SpamTitan can be used as part of a free TitanHQ trial.