Recently the new variant of the malicious trojan called LokiBot was noticed by some cyber enthusiasts @dvk01uk, @angel11VR ,@ViriBack quickly spreading not only in Androids like it used to a year ago (TheHackerNews.com), but also in Windows OS as well. While it acts slightly different on these two platforms Lokibot is equally dangerous for both. (Learn more about what is a Trojan on kaspersky.com).
At the end of 2017 threatfabric.com recognized LokiBot as the first hybrid malware that had several well-thought features working as a trojan and ransomware at the same time. It was at first mistaken with BankBot for some similarities but soon enough LokiBot gained its own recognition for powerful capabilities. Now the trojan came back even stronger attacking Windows as well.
Lokibot Trojan quicklinks
How does LokiBot malware affect Windows
Despite LokiBot being primarily an Android virus, it has all the capabilities to infect computers as well. The behavior this parasite demonstrates is common for any typical trojan, like TeleGrab, JackServn, Stresspaint and etc. While LokiBot is not focused on crypto mining as some popular trojans are, it earns enough by performing other tasks. In 2017, LokiBot has earned more than 1.5million dollars just from the Android exploits alone.
After the unfortunate click on the malicious link or download of malware thinking that it is a legitimate software, LokiBot without a consent runs silent processes in the background, making sure that every interfering security barrier will be neutralized or overpassed. This includes changing firewall, antivirus settings, modifying system files, registry. Once the setup is finalized and LokiBot is sure that all scripts are running and the persistence/safety is achieved trojan starts the evil deeds. More technical information about the most current LokiBot version on Virustotal.com.
LokiBot is not a flashy parasite and works silently, so the user won’t try to do anything to remove it. Mainly this malware invades the internet browser, whether it is Mozilla, Edge, Chrome or Safari and thoroughly tracks the net surfing activity and previous search history. Trojan records the most valuable information like passwords, logins, bank data with the help of keylogging. Then the compromised machine comes in handy and LokiBot sends all recorded data to remote hacker servers.
The main signs you notice if your computer is infected with LokiBot trojan is that your system and browser will start working slower/crashing, your antivirus/firewall will get disabled or won’t work properly, when browsing you will see more ads, hyperlinks in unusual places, new programs that you never installed, additional malware infections (which hackers will send through their server), and the worst – missing money from bank accounts and identity theft.
At the moment the most infected countries are Nepal and Nigeria, but the new version is quickly making its way to the US and the rest of the world. Moreover, rumors fly that you can buy the LokiBot on the DarkNet for $2000.
How does the LokiBot trojan spread
LokiBot mostly spreads via socially spam emails which contain a malicious trojan installation .exe file. These emails can look really deceitful, from the content to the sender’s address, e.g. government/bank/work/hospital messages, invoices, requests to log in and download the attached file and etc.
Apart from that LokiBot doesn’t limit itself to just one technique, and as etutorials.org mentions, can also distribute via hyperlinks and ads redirecting to the malevolent sites, messaging applications and together with other bundled programs.
It’s impossible to recognise the LokiBot trojan just from the file’s name because it can be camouflaged as an adobe flash player for android or a text/zip file named as something harmless, just like the earlier version from 2017 called the ‘Contract’ (see more details on virustotal.com). To prevent LokiBot trojan from getting into your computer or to avoid the infecting your devices again you should read our Ultimate Security Guide Against Ransomware and implement most of the tips mentioned there or follow securingtomorrow.com advice.
What does LokiBot trojan do to Androids
While the spreading methods and main purpose to collect the personal data stay almost the same as on the Windows variant, LokiBot has another special trick up in its sleeve for Android – scamming by simulating apps that require login information. LokiBot pretends to be Skype, WhatsApp, Mailing app, Paypal or even your bank app and then displays the notification saying that you must log in to this link to see a message, email, information about the money transfer and etc. And even though it is a fake page LokiBot manages to record the entered data.
What is more, when the trojan collects enough necessary facts/data, it can easily use the real applications to distribute itself to your contact list and further. Moreover, the crooks can use victim’s identity to perform other horrible cyber crimes like asking for money transfers to hackers’ accounts from friends, selling data to third parties and etc. When the victim starts noticing that the device works way slower and suspicious messages are being sent from their accounts, they face another problem trying to get rid of LokiBot malware – the demand for the ransom.
Once the user tries to remove the trojan, LokiBot locks the screen and asks for around $70-100 ransom in BTC to decrypt the files and get the locked files back. Luckily, not all parts of LokiBot are well-developed and the ‘encryption’ process ends up making renamed compromised file copies, therefore, you can access them without paying.
Surprisingly the features of this malware don’t end there. Apart from the pretty regular features like reading and sending spam text messages, tracking and collecting info, locking the Android LokiBot trojan can automatically start banking applications, perform phishing attacks under the cover of other programs and etc. This dangerous virus should be removed as soon as possible to prevent the distribution, and any data breach, money/identity theft, and other major issues.
How to get rid of the LokiBot trojan
Every internet user or actually every computer/smartphone owner should have an installed antivirus which would help in cases like this preventing from trojans and other types of malware accessing your devices and stealing personal data. However, if you didn’t have any security assuring product or the current one didn’t work, this time you will have to get an even stronger tool – malware removal software (which is not the same as antivirus).
Anti-spyware is made to detect the parasites like LokiBot once they are already in the system and delete it even from the deepest levels of your virtual machine. Since LokiBot works on both Windows and Android we advise you getting Malwarebytes. This program have both security versions for computers and smartphones and the most updated malware databases which allow detecting even the newest threats.
Lastly, if you happened to lock your compromised smartphone with the LokiBot’s ransom note the easy solution to retrieve encrypted files is to simply run Android on a Safe Mode.
Automatic Malware removal tools