The Evolution of LokiBot: Deep Dive into Modern Evasion and Injection Techniques

LokiBot is no stranger to the threat landscape. First surfacing in underground forums around May 2015 via vendors known as “lokistov” and “carter,” this infostealer has demonstrated remarkable longevity. However, recent iterations show a significant shift toward sophisticated anti-analysis and anti-detection maneuvers designed to bypass modern EDR (Endpoint Detection and Response) solutions.Modern samples utilize a multi-stage loading process that combines API hashing with 3DES-encrypted command-and-control (C2) configurations embedded directly within the binary. This results in a highly compact, stealthy loader that reconstructs the primary LokiBot payload in memory, minimizing the footprint of observable imports and obscuring its network infrastructure.

The Multi-Stage Execution Chain

According to research from LevelBlue, the infection typically begins with malspam delivering an obfuscated JScript attachment. This script leverages the Windows Script Host to stage a Base64-encoded PowerShell loader.

The execution logic is notably deceptive. The JScript layer intersperses legitimate decoding logic with decoy functions and includes timed cleanup routines. These routines are designed to delete temporary files and terminate malicious processes if certain time thresholds expire, effectively frustrating time-sensitive sandbox analysis.

The PowerShell component functions as a reflective .NET assembly loader. It utilizes an XOR layer to reveal a Base64-encoded .NET assembly, which is subsequently loaded into memory via [System.Reflection.Assembly]::Load and invoked through a MEN.EXECUTE.LAUNCH() entry point. This method passes critical parameters, including the file path to aspnet_compiler.exe and a large byte array containing the PE image intended for injection.

Advanced Evasion: API Hashing and Obfuscation

One of the most prominent technical shifts in recent LokiBot samples is the heavy reliance on API Hashing. Rather than relying on a standard Import Address Table (IAT)—which provides a roadmap for analysts—the malware maintains a minimal set of static imports. It resolves necessary functions at runtime by enumerating the export names of targeted DLLs and matching them against precomputed hashes.

The custom hashing algorithm employs repeated right shifts combined with an XOR operation against a fixed constant. While this complicates static analysis, these functions are often cataloged in tools like HashDB, allowing investigators to map hash values back to their original WinAPI names during forensic reconstruction.

Furthermore, the reflectively loaded assembly is protected with ConfuserEx. Once execution begins, the malware dynamically resolves kernel32.dll exports to facilitate a classic process-injection chain. Analysis of these calls reveals the following sequence: CreateProcess $\rightarrow$ VirtualAllocEx $\rightarrow$ WriteProcessMemory $\rightarrow$ SetThreadContext $\rightarrow$ ResumeThread, specifically targeting the aspnet_compiler.exe process.

Payload Capabilities and Persistence

The final 32-bit PE payload is compiled with MSVC 2015. It contains a specific “.x” data section housing 3DES-encrypted C2 endpoints. To maintain confidentiality, the loader decrypts these addresses only at runtime to construct the HTTP requests required for initial beaconing.

For persistence, LokiBot attempts to create a Registry Run key. It also copies itself to the %AppData% directory using a filename derived from the machine’s MachineGuid. To prevent multiple concurrent infections, it generates a unique mutex based on the MD5 hash of that same MachineGuid. Note that some recent “patched” builders have been observed to have broken decryption subroutines, resulting in malformed registry keys and failed persistence.

Once established, LokiBot’s primary mission is data exfiltration. It targets over a hundred different products, including web browsers, cryptocurrency wallets, password managers, email clients, and FTP tools. Stolen data is aggregated, compressed using aPLib, and exfiltrated to the C2 via HTTP. The malware then enters a beaconing loop, checking in every minute with system metadata to await further instructions.

Defensive Strategies and Detection

Defenders should prioritize the following telemetry for detection:

• Script-Based Staging: Monitor for anomalous Windows Script Host or PowerShell activity, particularly involving heavily obfuscated JScript or Base64-encoded strings.
• Process Anomalies: Watch for aspnet_compiler.exe acting as a parent process or being the target of remote memory allocation/injection.
• Runtime Export Walking: Identify processes with unusually small import tables that exhibit heavy enumeration of system DLL exports.
• Mutex/File Monitoring: Track the creation of mutexes or files in %AppData% that correlate with MachineGuid hashes.

For rapid analysis, investigators can use radare2 to automate the resolution of hashed APIs and should prioritize extracting 3DES keys from memory to decrypt the “.x” configuration section.

Indicators of Compromise (IOCs)

Type	Value
IP	158.94.211[.]95
Domain	kbfvzoboss[.]bid
Domain	alphastand[.]trade
Domain	alphastand[.]win
Domain	alphastand[.]top
URL	http://158.94.211[.]95/kelly/five/fre.php
URL	http://kbfvzoboss[.]bid/alien/fre.php
URL	http://alphastand[.]trade/alien/fre.php
URL	http://alphastand[.]win/alien/fre.php
URL	http://alphastand[.]top/alien/fre.php

 

SHA256 Hash
c099f965144bccd0b590f946659fc3c0747c54aef505b6caaca9078712f455fb
64c7dd0a3a3ae49977ac05913d3878000cce14e5d8c1ee05b782bdfd648bde91
ad10ff9043d6f327045943635fcbd0c5918acb79dc998db92ee4c7dee5224710
4c9f271242f61f1a31b8146305e9a7ed512c521445d4f7a7a901e301307add3d
5864a697bd7b339f56b05405f29a097cd027cafdcc4e63c2aaeccccbf930605f

Note: These indicators have been intentionally defanged and should only be refanged in secure testing environments.