This increases the difficulty for researchers to analyze it. The VBS file in Startup with its code How the new Loki variant worksĪll the APIs being called in this malware are hidden, which will be restored before calling. After all these actions are complete, “citrio.exe” is started.įigure 3. The VBS file is added into the system Start Menu so it can automatically run whenever the system starts. It then creates a VBS file which can start “citrio.exe”.
When this malware is executed the very first time, it copies itself to “%AppData%\subfolder”, and renames it as “citrio.exe” in my test enviroment. The PDF sample only contains one page, shown above, which includes some social engineering content to entice users to download and run the malware.Īccording to the sample content (Figure 2), an annotation object in the sample includes an URI action, where the malware is downloaded. In this blog, we will analyze how this new variant works and what it steals. FortiGuard Labs recently captured a PDF sample that is used to spread a new Loki variant. As you may know, it is designed to steal credentials from installed software on a victim’s machine, such as email clients, browsers, FTP clients, file management clients, and so on. The Loki Bot has been observed for years.
0 kommentar(er)
