Lokibot is at it Again, This Time Spreading via Purchase Order

Lokibot malware has been around for several years, being distributed via phishing campaigns that include malicious email attachments or embedded URLs. Since its discovery in 2016, it had been used by various cybercriminals to create backdoors into the Windows machine. In the recent attacks, Lokibot was found being distributed via phishing emails disguised as Purchase Order attachments. Let’s take a closer look at Lokibot’s recent attack methods.

Lokibot is an information-stealing trojan that that steals account information from various programs installed on the infected PC, such as web browsers, email clients, and FTP clients. Lokibot has been running rampant for several years. In fact, it is one of the most commonly discovered malware to this day. Lokibot frequently appears on the ‘Top 5 Weekly Malware’ statistics conducted by ASEC (AhnLab Security Emergency-response Center).

Like other malware such as AgentTesla, Formbook, and AveMaria, Lokibot mostly spreads via spear-phishing emails. When the user downloads and executes the attached file, the malware infects the user’s PC. Also, Lokibot uses several packing methods, such as a .NET file, for obfuscation and evading detection. 

The recently found Lokibot disguises as a purchase order email and prompts the user to open the attachment file within. The file compressed in .cab format is attached to the email and decompressing it will extract the Lokibot .exe file. Executing this file will infect the user’s PC. 

Once Lokibot is executed, it steals account information of a program and sends it to the C&C (Command & Control) server. Afterward, it copies the file to ‘\AppData\Roaming\[random]\[random].exe’ directory, hides it, registers the run key, and periodically communicates and executes commands from the C&C server. 

Another characteristic of Lokibot is that the scope of information it steals is much broader than that of other info-stealer malware. Lokibot not only steals account information from web browsers, email clients, and FTP clients as mentioned previously, but it also steals from other programs such as instant messengers, file managers, password managers, and even poker games. However, since the malware itself is outdated, the info-stealing features sometimes fail to work properly.

To prevent malware infection from Lokibot, users must refrain from running file attachments from emails sent by suspicious senders and update their security software, such as AhnLab V3. Keeping security programs up to date and using encrypted security settings can prevent information breach.

AhnLab’s anti-malware product V3 detects Lokibot malware using the aliases below. 

[File Detection]

– Trojan/Win32.Lokibot.R349444 (2020.08.28.04)

[Behavior Detection]

– Malware/MDP.Inject.M218

[IOC Information]


– hssp://79.124.8[.]8/plesk-site-preview/benetaeu-group.com/http/


– d6e4167f31ade27c559b119adfbcfc88

1 1 vote
Article Rating
Inline Feedbacks
View all comments

[…] Lokibot is at it Again, This Time Spreading via Purchase Order […]


[…] Lokibot is at it Again, This Time Spreading via Purchase Order […]