What is Lokibot?
Lokibot (S0447) is an information-stealing Trojan designed for credential theft. It harvests sensitive financial and personal information from Windows and Android devices. Often spread via phishing, this trojan uses a keylogger, clipboard monitoring, and other data exfiltration features.
Lokibot’s modular architecture, where malware has a core component that can be updated with different plugins or modules, allows threat actors like SilverTerrier to constantly update its capabilities. This contributes to it being classified as a persistent threat.
How to Defend Against Lokibot?
Defending against Lokibot requires preventing its initial infection and detecting its data exfiltration.
- Be cautious with email attachments and downloads, which are the primary delivery vectors for this infostealer.
- Keep all operating systems and applications patched to limit the vulnerabilities that can be exploited for initial access.
- Leverage threat intelligence from platforms like Lumu Maltiverse to aggregate IoCs, analyze behavior, and improve incident response.
- Use continuous compromise assessment with integrated threat intelligence to spot and block the exfiltration of stolen data to C2 servers.
- Implement network segmentation to mitigate lateral movement in case of a breach.
