Threat actors behind the LokiBot Trojan, an information stealer and a backdoor that gives attackers access to Windows systems, are using a new tactic to install their Trojan: Impersonation of a legitimate software installer used by EPIC Games, the gaming company behind the hugely popular free-to-play game Fortnite.
LokiBot was first identified around 5 years ago and it is constantly tweaked and updated. LokiBot can steal sensitive information from an infected device, monitor activity, perform a range of malicious actions, including downloading other malware variants. The original source code of the malware was leaked not long after the malware was first detected, which has allowed multiple threat actors to develop their own variants. The LokiBot Trojan has grown into one of the most prolific malware threats over the past five years, and the latest campaign and tweaks suggest this malware will remain a major threat for some time to come.
The new campaign was identified by security researchers at Trend Micro who believe the fake installer is being distributed via large-scale spam email campaigns, as this method of malware distribution has been favored in the past for delivering LokiBot.
The NSIS Windows installer includes the EPIC Games logo and appears at first glance to be legitimate. Running the installer will see two files dropped into the %AppData% directory: A C# source code file and a .NET executable file, both of which are heavily obfuscated to hide their true purpose and hamper efforts to reverse-engineer the malware. The .NET file reads and compiles the C# code, decrypts it, then executes LokiBot on the infected device.
This method of infection is intended to evade detection by security solutions that search for executable binaries, and along with the obfuscated files and encrypted assembly code in the C# file, it is likely that this threat may not be detected by many security solutions.
Detection of this threat requires more complex security solutions capable of in-depth analysis of suspicious files. Since this threat is believed to be delivered via email, advanced spam filtering solutions that feature sandboxing rather than signature-based detection methods are required to identify and block LokiBot emails.
End users should avoid running any software installer delivered by email, either as an attachment or via links in emails. Instead, it is strongly advisable to visit websites by entering URLs into the address bar of browsers and downloading software directly from the legitimate websites.