Loki is an info-stealer malware that was first detected on February 2016. This malware first targeted Android systems and its capabilities include stealing credentials, disabling notifications, intercepting communications and data ex filtration.
Loki also exhibited ransomware behavior on October 2017 and was sold on underground hacking forums. On August 2018 up to present, Loki has targeted corporate mailboxes via phishing and spam emails. The phishing emails include a file attachment with .iso extension which downloads and executes the Trojan malware that steals passwords from browsers, mail, File Transfer Protocol (FTP) clients, messaging applications and cryptocurrency wallets..
Capabilities
- Information Theft
- Exploits
- Disabling usage capability
Infection Routine
File Reputation
Detection/Policy/Rules | Pattern/Branch/Version | Release Date |
---|---|---|
TrojanSpy.Win32.LOKI.TIOIBODR TrojanSpy.Win32.LOKI.SMDD.hp TrojanSpy.Win32.LOKI.THCOEAI TrojanSpy.Win32.LOKI.THBBFAI TrojanSpy.Win32.LOKI.THCBAAI TrojanSpy.Win32.LOKI.SM.hp Trojan.W97M.LOKI.AMK TrojanSpy.Win32.LOKI.TIOIBODS TrojanSpy.Win32.LOKI.TIOIBODN TrojanSpy.Win32.LOKI.THBOFAI TrojanSpy.Win32.LOKI.TIOIBOCV TrojanSpy.Win32.LOKI.TIOIBOCQ TrojanSpy.Win32.LOKI.THOABEAI TrojanSpy.Win32.LOKI.THOAAAAI TrojanSpy.Win32.LOKI.TIOIBOCQ Trojan.Win32.LOKI.UHBADFW | Ent OPR 14.929.03 | April 9, 2019 |
Predictive Machine Learning
Detection | Pattern Branch/Version |
---|---|
TROJ.Win32.TRX.XXPE50F13007R2D6E Troj.Win32.TRX.XXPE50F13007 Ransom.Win32.TRX.XXPE50F13007 TROJ.Win32.TRX.XXPE50F13006R2D6E | N/A |
Behavior Monitoring
Pattern Branch/Version | Release Date |
---|---|
AEGIS TMTD OPR 1689 | August 11, 2017 |
AEGIS TMTD OPR 1839 | October 30, 2018 |
Web Reputation
URL | Category | Blocking Date |
---|---|---|
hxxp://megaklik.top/otika/otika.exe | Malware Accomplice, Disease Vector | April 2, 2019 |
hxxp://cj.3rwm.pk/cj.exe | Malware Accomplice, Disease Vector | April 2, 2019 |
hxxp://megaklik.top/nwamanew/nwamanew.exe | Malware Accomplice, Disease Vector | March 22, 2019 |
hxxp://cgi.fleetia.eu/202597.gif | Disease Vector | April 8, 2019 |
hxxp://cgi.fleetia.eu/out-1961441859.hta | Disease Vector | April 8, 2019 |
hxxp://bozarkaya.com/zuniga/zuniga.exe | Malware Accomplice, Disease Vector | April 2, 2019 |
hxxp://uzocoms.eu/nwama/five/fre.php | C&C Server | March 7, 2019 |
hxxp://cubaworts.gq/700/index.php | Disease Vector | April 8, 2019 |
hxxp://cgi.fleetia.eu/1309778.png | Disease Vector | April 8, 2019 |
hxxp://jacksonbrown.5gbfree.com/mnco.exe | Disease Vector | April 8, 2019 |
hxxp://overenvy.5gbfree.com:80/dj.exe | Malware Accomplice, Disease Vector | April 8, 2019 |
Anti Spam
Pattern Branch/Version | Release Date |
---|---|
AS 4538.006 | April 8, 2019 |
Solution Map - What should customers do?
Trend Micro Solution | Major Product | Latest Version | Virus Pattern | Anti-Spam Pattern | Network Pattern | Behavior Monitoring | Predictive Machine Learning | Web Reputation |
---|---|---|---|---|---|---|---|---|
Endpoint Security | ApexOne | 2019 | Update pattern via web console | Not Applicable | Update pattern via web console | Enable Behavior Monitoring and update pattern via web console | Enable Predictive Machine Learning | Enable Web Reputation Service and update pattern via web console |
OfficeScan | XG (12.0) | Not Applicable | ||||||
Worry-Free Business Security | Standard (10.0) | |||||||
Advanced (10.0) | Update pattern via web console | |||||||
Hybrid Cloud Security | Deep Security | 12.0 | Update pattern via web console | Not Applicable | Update pattern via web console | Enable Behavior Monitoring and update pattern via web console | Enable Predictive Machine Learning | Enable Web Reputation Service and update pattern via web console |
Email and Gateway Security | Deep Discovery Email Inspector | 3.5 | Update pattern via web console | Update pattern via web console | Update pattern via web console | Not Applicable | Not Applicable | Enable Web Reputation Service and update pattern via web console |
InterScan Messaging Security | 9.1 | Not Applicable | ||||||
InterScan Web Security | 6.5 | |||||||
ScanMail for Microsoft Exchange | 14.0 | |||||||
Network Security | Deep Discovery Inspector | 5.5 | Update pattern via web console | Not Applicable | Update pattern via web console | Not Applicable | Not Applicable | Enable Web Reputation Service and update pattern via web console |
Recommendation
- Make sure to always use the latest pattern available to detect the old and new variants of Loki malware.
- Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
- You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
- For support assistance, please contact Trend Micro Technical Support.
Threat Report
- Threat Encyclopedia - search results for trojanspy.win32.loki
- Threat Encyclopedia - search results for trojan.win32.loki