CISA advisory examines LokiBot malware threat (Includes interview)
The malware works by infecting computers and then it porceeds to activate built-in capabilities that are dersigned to search for locally installed apps. Exploiting these, the malicious code then extracts credentials from their internal databases, giving the personal information to the groups who control the malware.
The malware is a form of information stealer code that functions to collect data from most widely used web browsers, File Transfer Protocol (FTP), email clients plus over a hundred software tools installed on the infected machine. The code was developed somewhere within Eastern Europe.
In addition, LokiBot functions as a backdoor risk, allowing hackers to run other pieces of malware on infected hosts, and potentially escalate attacks.
Looking at the issue for Digital Journal is Mark Bagley, VP of Product at AttackIQ.
Bagley explains the seriousness of the issue: “Cyberattacks have been evolving and growing at an alarming rate in the recent past, sparing no industry from disruption. The increase of LokiBot malware incidents shines a light on why organizations should take a proactive approach to testing and validating their security controls.”
In terms of the consequence of this and the deeper implications for businesses, Bagley: “Understanding common adversary tactics, techniques, and procedures, as outlined by the MITRE ATT&CK framework, allows organizations to protect what matters most to them, their ability to operate.”
He concludes by saying: “Doing this on an automated, ongoing basis is crucial to informing an organization’s defenders about the state of the security program, as well as supporting the goal of continuous improvement.”
