Stealing Microsoft Outlook Credentials and Stickies Picturesįrom the above analysis, it is clear that this new Loki variant is capable of stealing credentials from more than 100 different software tools (if installed.) In this section, we are going to present how it steals the credentials of Microsoft Outlook and pictures from Stickies. To-Do DeskList, Stickies, NoteFly, Conceptworld Notezilla, Microsoft StickyNotes. Mozilla Thunderbird, foxmail, Pocomail, IncrediMail, Gmail Notifier Pro, DeskSoft CheckMail, Softwarenetz Mailing, Opera Mail, Postbox email, Mozilla FossaMail, Internet Mail, MS Office Outlook, WinChips, yMail2, Trojita, TrulyMail. MSecure, KeePass, EnPass, RoboForm, 1Password. ![]() SuperPutty, Bitvise BvSshClient, VNC, KiTTY. NexusFile, FullSync, FAR Manager, Syncovery, VanDyke SecureFX, Mikrotik Winbox. Mozilla Firefox, IceDragon, Safari, K-Meleon, Mozilla SeaMonkey, Mozilla Flock, NETGATE Black Hawk, Lunascape, Comodo Dragon, Opera Next, QtWeb, QupZilla, Internet Explorer, Opera, 8pecxstudios, Mozilla Pale Moon, Mozilla Waterfox.įTPShell, NppFTP, oZone3D MyFTP, FTPBox, sherrod FTP, FTP Now, NetSarang xftp, EasyFTP, SftpNetDrive, AbleFTP, JaSFtp, Automize, Cyberduck, FTPInfo, LinasFTP, FileZilla, Staff-FTP, BlazeFtp, FTPGetter, WSFTP, GoFTP, Estsoft ALFTP, DeluxeFTP, Fastream NETFile, ExpanDrive, Steed, FlashFXP, NovaFTP, NetDrive, SmartFTP, UltraFXP, FTP Now, FreshFTP, BitKinex, Odin Secure FTP Expert, NCH Software Fling, NCH Software ClassicFTP, WinFtp Client, WinSCP, 32BitFtp, FTP Navigator. Here is the list of most of the software whose credentials can be stolen. The malware calls those functions one by one in a loop. Figure 5 shows part of the function pointers.Īs you may have noticed, I added the comment behind each function to show you which software it steals credentials from. There is an array that is used to store the function pointers. The author of the malware has written a number of functions for stealing credentials from a victim’s machine. After calling the sub_4031E5 function with the hash(C5FA88F1h) and DLL number (0Ah), eax points to the API "CommandLineToArgvW". This increases the difficulty for researchers to analyze it. The VBS file in Startup with its code How the new Loki variant worksĪll the APIs being called in this malware are hidden, which will be restored before calling. After all these actions are complete, “citrio.exe” is started.įigure 3. The VBS file is added into the system Start Menu so it can automatically run whenever the system starts. It then creates a VBS file which can start “citrio.exe”. ![]() When this malware is executed the very first time, it copies itself to “%AppData%\subfolder”, and renames it as “citrio.exe” in my test enviroment. The PDF sample only contains one page, shown above, which includes some social engineering content to entice users to download and run the malware.Īccording to the sample content (Figure 2), an annotation object in the sample includes an URI action, where the malware is downloaded. In this blog, we will analyze how this new variant works and what it steals. FortiGuard Labs recently captured a PDF sample that is used to spread a new Loki variant. As you may know, it is designed to steal credentials from installed software on a victim’s machine, such as email clients, browsers, FTP clients, file management clients, and so on. The Loki Bot has been observed for years.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |