Machete Weapons

Lokibot
A malware report

Aarón Jornet Sales

2022
0
RexorVc0 vc0RExor
 Content
1. Executive Summary ............................................................................................. 2
2. Machete ................................................................................................................ 3
3. Entry Vector ......................................................................................................... 5
4. LokiBot ................................................................................................................. 9
4.1. LokiBot: Version 1 ...................................................................................... 11
4.2. LokiBot: Version 2 ...................................................................................... 16
4.3. LokiBot: Malware in depth ......................................................................... 21
5. IOC ...................................................................................................................... 32
6. MITRE ................................................................................................................. 35

1
 1. Executive Summary

This report contains the analysis of both Tactics, Techniques and Procedures
(TTP) and several Malware related to LokiBot, one of the weapons used by the
Machete group.

Machete is, broadly speaking, an actor dedicated to information theft and

espionage. To do so, it uses different tools, including LokiBot.
LokiBot is a Malware used in different ways, such as backdoor, credential theft or
crypto theft depending on version and who is using it, it also serves as a bridge for
execution of other malicious files. The use of this tool has also been seen by various
groups of different types such as Gorgon group.
Such Malware, is usually introduced through emails with attachments, which result
in a download, depending on versions, different executions have been seen, from
exploits of vulnerabilities, to different scripts that are intertwined with each other, the
ultimate goal, in most cases, is commonly installed in a process, the final objective, in
most cases, is usually to inject itself in a legitimate or self-initiated process to serve
as a backdoor, obtain as much information as possible from the machine and the
user and maintain communication with Command and Control (C&C) servers,
depending on the victim, this tool will be used to obtain as much data as possible or to
steal assets from the machine.
It has been one of the most used Malwares in 2022 and it is foreseen, that they will
continue to use it in the future, due to its great evasion capacity, besides having been
used in different operating systems, since it has been used to a great extent in
Android, as well as in Windows.

2
 2. Machete

Machete is a group that currently has no associated country, but it is believed that
its origin or part of it belongs to Spanish-speaking countries. This group began
operating in 2010 and this year has had a major impact in many countries, being
particular in this area, as it attacks a large number of them, with an emphasis on Latin
America, Spain and Russia.

Being their main targets defense departments, government entities and companies
dedicated to energy and telecommunications, they gain initial access using the
social engineering distribution method, with a great eagerness for Spear-Phishing
emails, although they have also been seen exploiting vulnerabilities, once they have
gained access, the phases vary depending on the malware they use, but the main
objective is to generate persistence, open connections outside creating a secure
channel and steal information from the victim that will exfiltrate through the previously
created channel.
The chief motivation of this group is information theft and espionage, which
includes tools to steal all kinds of sensitive information from infrastructures and users,
which will be used for strategic advantages.
The main tools they have used in their journey are mostly software developed in
Python, but they have used different languages apart from this, in short, the Malwares
used by Machete to perform backdoors, perform information theft and exfiltrate
information in their attacks are the following:

• Lokibot | Loki.RAT | Loki (Backdoor, Keylogger, Stealer): Malware used by

different groups and campaigns dedicated to launch or be launched by others in
order to obtain relevant information such as browsers data, FTP and SSH
credentials, as well as email data to send everything collected to a C&C.

• Machete (Backdoor, Stealer): Proprietary Malware usually used through SFX

or RAR which will contain different tools, usually written in Python, to generate
persistence on the computer, obtain information from the network and geolocate,
then send the information to a C&C.

• Pyark (Backdoor, Stealer, Exfiltration): Malware written in Python, usually

used to create a backdoor generating persistent tasks and gaining access to
cameras, microphones, FTP, browsers, clipboards, etc. To later exfiltrate the
information.

3
As we mentioned before, this group has been very active this 2022, being one of its tools
LokiBot, Malware used for several areas of its attack, since certain versions fit with what
this group is looking for, to obtain data from the victims for strategic purposes. This tool
has been created to steal sensitive data such as search engine data, credentials,
clipboards, etc. In addition to having great evasion techniques.
Outside the use of groups dedicated to cyberespionage, this tool has been used to steal
cryptoassets as well, so we can see how widely useful it is, as it can be used in different
ways depending on who is going to manage it, those dedicated to financing as some
groups or campaigns do could use other versions of LokiBot to extort or steal capital
from the victims.
At this year, we have seen different variants of use of this Lokibot, used by different
groups, being a very multifaceted tool for different areas, two or three versions have
always stood out above the large number of waves that have been received, therefore,
to try to group most of these we have made the study of the versions that have been
most distributed with the aim of obtaining the maximum information of the tool and what
are its TTP, to achieve mitigate the use of this type of Malware that is usually a trend of
use.

4
 3. Entry Vector

LokiBot is a tool that this year has been largely distributed by document
attachments, using the Spear-Phishing Attachment technique (T1566.001).

The way to reach the targets was to send fraudulent emails to get the victim from an
organization to download the attachment in order to execute the next step of the
attack.

At the multiple versions that have been found, have prevailed, attach a document
RTF (Rich Text Format) or DOC/XLS, as we would see in the previous image, its only
function is the download of these files to access the disk once saved on it.
As we mentioned before, we found different versions of documents such as the previous
case, an .xlsx file whose content would not be very relevant, since its only function would
be to exploit the vulnerability CVE-2017-11882 in which taking advantage of a bad use
of memory would launch malicious code using Microsoft Office Equation Editor known
as EQNEDT32. (T1203).

5
We would observe a launch of such a binary that would execute the embedded Malware.

This technique and documents have been analyzed several times before, but they would
be based on files with macros (T1137.001) or hidden functions that would execute the
code abusing the CVE or launch the file in a temporary folder.

At the RTF versions, we would find a document, once downloaded, whose content at
first glance would not give us much information. As we can see in the first image, it would
be a document of this type for the first bytes.

6
However, depending on versions of this type of files, we would find inside them the
use of the same exploit EQNEDT32.exe (CVE-2017-11882)

7
These RTFs would be based on containing objects that, after opening the document,
would launch, depending on the version, scripts or the previously mentioned exploit.

8
 4. LokiBot

Due to the large number of LokiBot variants, we will look at the performance of different
samples to get a better understanding of all its variants seen this year, in order to get the
maximum understanding of the TTPs and achieve better mitigation.
As we mentioned earlier, the large waves of LokiBot in campaigns and the use of this
tool also in groups, leaves behind a large number of versions of the same Malware,
which, in essence, have a similar operation between them. Grouping all the versions
together, we would obtain two that would represent the majority seen this year
2022.
The summary of both variants is as follows:
Version 1

• After downloading and executing the document, a download or execution of

malicious scripts will be performed
• Subsequently, if it were a variant in which the next step is downloaded, I would
perform this using a wget after a powershell or cmd by dumping it to a script
(Usually using the name Done.vbs, although other variants have been seen) but
It would directly execute a Wscript or Cscript.
• Later, we would see the execution of a new explorer.exe launching the script,
in the case of a download, and if not, the execution of Wscript or Cscript of a
script
• Afterwards, it would perform again a powershell execution to launch another
obfuscated script that would end up in the injection of code to a legitimate
software (using AppLaunch or InstallUtil among others).
• After this, we would have LokiBot inside a legitimate process where it would
start the tasks of this Malware

Version 2

• After downloading and executing the document, an EQNEDT32 operation will

be performed.
• Afterwards, files will be created in temporary folders (Temp | Public |
ProgramData) usually using the name vbc.exe, although other names have been
seen
• It will create other files in temporary folders, on which it will rely later and will
serve as auxiliary files
• From the created files, an injection will be performed in one of them after an
execution in a suspended state, in which it will obtain code from the auxiliary
files and will introduce it in the memory of this process

9
 • After this injection we will have LokiBot inside a malicious process created by
a loader.

Both variants have small variations, in which sometimes they rely on installers or
introduce some additional step or omit another, but the vast majority have a similar
thread of execution and their goal is usually to inject LokiBot in a process, whether
legitimate or not, to operate with a greater stealth.
A general summary of how the vast majority of infections by this Malware would work
is as follows:

10
 4.1. LokiBot: Version 1

At first version of this LokiBot, we will talk about a version that bases the entire thread
of execution on the use of scripts to reach its target, these files will be obfuscated in
different ways to hinder or prevent the analysis, at all times the obfuscated version and
the result of the obfuscation will be shown.
After executing the document as a Wscript.exe or Cscript.exe, a Powershell.exe is
launched (T1059.001) obfuscated that will look for a download to an IP or domain, in
this address are often used extensions .mp4, .png, .jpg, and so on. Which in any case
are not these formats, they are usually binary or other scripts.

Once downloaded it will invoke the execution of the downloaded file to launch a second
obfuscated script, depending on versions, it will invoke an explorer.exe (T1218) that
will launch a script (usually .vbs) left in temporary folders or, it will launch again another
powershell.exe directly to execute the contents of the script.

In both cases, we will see the execution of the second obfuscated script (T1027) with
huge size.

We are going to look at this second part more carefully as it performs several interesting
moves, first of all we see that initially it is going to re-invoke another file from another
IP or address.

11
But, we observe that it takes special interest in the variable mtIUbZgQec that will be the
one that will launch a binary inside this obfuscated code. We can see that the initial
variable, in spite of changing its name, is trying to introduce the second part of the
obfuscated script

This second part is a binary, after deobfuscation we get a file, which as we can see will
load it:

When extracting the binary, observing that we have found the typical header of a
Portable Executable (PE), we find a file written in .NET that pretends another
download to another address to perform a deobfuscation (T1140), this time, by through
of the binary

12
Keeping this address in focus for a few days, we observe that the attacker updates the
files, as they are constantly blocked by the companies

If we look at any of the files, it would be, in all cases, more obfuscated code, which would
be updated every few days by the attacker

Once the binary performs the download, we get another file with a fake .pdf extension
(T1036) that uses a symbol-based obfuscation, in the multiple versions found on the
server, leading to the same result with different obfuscations

13
After deobfuscation based on the binary, since it contains the operation of how to reverse
the obfuscation of the strings, we replicate them by taking advantage of the reversing
of the code.
Once again, we obtain another file, which repeatedly uses different techniques to hide
its code, in which we find the MZ header (PE):

This binary has been detected by a large number of engines for quite some time, so we
understand that what varies most in its modus operandi are the initial phases, these
being more repetitive compared to the final phases, which is quite common since the
complexity of modifying or creating another injector is always more complicated than that
of obfuscating strings or creating scripts.

This file is another .NET that will do the task of injecting code into another process
(T1055), usually AppLaunch.exe or InstallUtil.exe, although it can use any binary
related to .NET, once injected, we would have the LokiBot inside a legitimate process
of which neither the operating system nor a user would find an execution out of the
ordinary. The injection usually comes after a Process Hollowing (T1055.012), a
technique focused on removing bytes from a memory space to later reserve that space
to host the malicious code.

14
To do this, it will suspend the process that, we can see that the binary has the
capacity to unmapping for the subsequent reservation of space in memory and
writing in this to later relaunch the process.

Once injected into the legitimate process, LokiBot will, depending on the version of
the payload, obtain information about the computer, users, browsers, among
others.

15
 4.2. LokiBot: Version 2

At the second version of this LokiBot, we will talk about the Malware that will base the
whole execution thread on the use of different binaries to reach its target, these
files will be launched in different folders to favor evasion.
After executing the document, we will get an EQNEDT32 exploiting the CVE-2017-
11882 which will launch a binary in a temporary folder, in our case Public.

Our version contains a variant in which they have introduced an installer above the main
execution (T1036), the execution thread will be the same, as we said, there are many
variants, but the core is static.

We extract all the data from the file launched in the temporary folder and we obtain a
script of usual execution in Nullsoft, which, roughly speaking, indicates which are the
folders where it will save and execute the auxiliary files that will be used later.
(T1074.001)

16
For practical purposes, we would see how a file svgsnex.exe is executed, whose name
will be different in each version and after the common name used by this Malware,
vbc.exe, however, this is also susceptible to change, although it is quite common to find
it.

As we saw in the nullsoft script, it launches different files in a different temporary

folder %temp% that will serve later as auxiliary files, internally, they are data used for
subsequent injection

17
Analyzing the file, we find the main function, which shows us that it will be performing a
loop.

In this function we observe that it will manipulate, check files and reserve memory spaces

With these memory spaces, we see that it will later buffer data that will be introduced
during execution in the memory of a process or a thread, as we said, it will be a loop
so it will be rescuing information from its own memory and auxiliary files for subsequent
steps

18
This functionality is given in order to, with the data contained in this second executable,
together with the files launched in temporary folders, for practical purposes, re-launch
the same executable svgsnex.exe with additional content. This technique is normally
done by leaving the process in a suspended state and injecting the LokiBot code
(T1055.012).

During the process, we will also see that for security reasons it duplicates itself in a
different temporary folder Roaming in hidden mode (T1564.001) performing an
evasion of defenses

As mentioned above, it is based on different evasion techniques and tries not to be

recognized by using different names and locations (T1074.001)

19
What this Malware will achieve is, instead of taking advantage of a binary of the system
or legitimate that it can use, as in the first version, to use the same executable to inject
itself (since it will relaunch itself) code of the LokiBot, in this way, we will see that the
actions of backdoor and stealer, will be performed by itself after the injection.

20
 4.3. LokiBot: Malware in depth

Once we have LokiBot injected into a process, legitimate or not, this Malware will
perform different functions depending on who the victim is, the planned targets and the
Malware versions being used.
An outline of the main functions it usually performs is as follows:

As we have seen in the previous versions, one thing is clear, LokiBot is injected into a
process, this event makes it more difficult to analyze the final payload, which would
be where the Malware definitely operates from.
We observed in a sample the injection performed to the process and we observed that
the process of version 2, would indeed be injected and with the protection of the
Windows page in EXECUTE_READWRITE

21
We obtain this payload and compare this version to the initial file without injecting
and we observe clear differences, they are not the same file, which means that from
the initial version to the final version that we have extracted from memory has
undergone a change at RunTime, the injection.

22
We can see that this process would perform additional functions, such as obtaining
information from browsers or opening connections.

Once the sample has been put under analysis, we find both statically and dynamically
the above mentioned functionalities.

23
We observe that during the first steps of the payload it will load libraries, which
indicates that it will avoid showing its next steps, it will perform this function by calling
at RunTime of these DLLs and loading them with LoadLibrary, a usual process that is
performed together with GetProcAddress.

Subsequently, we would see a high use of cryptography for the creation of different
strings
DB5B8ECA8020E493ED7E2985
5B8ECA8020E493ED7E2985
8ECA8020E493ED7E2985

24
Once obtained we will see that it will perform a Mutex with one of them (T1027.005),
this is usual, to verify that indeed a sample of LokiBot has not been executed, in this way
we would rule out reinfection

After these previous steps, we would enter the functionalities that would cover the most
characteristic information of LokiBot, its Stealer tasks.

25
We observe that it is going to make a call to a routine where it will perform different
fetches in a loop

In this, we will observe that it will go over one by one all the elements it wants to check,
meanwhile, it will save the information in memory so that those softwares it finds and
collects the information it needs

Some of these would be browsers (T1217), among which we can observe a great
number of them

26
At events section, we can see in a more visual way the big list it checks during a normal
execution

In addition, it will get software information from different FTP (T1555) or backups
related

27
It occurs the theft of sessions and user information in FTP, PuTTY and similar,
locating both files with such information and making requests to the registry keys
(T1552.002)

28
Once all this information has been obtained (T1592), the Malware will have stored data
about the computer and users covering the following fields:
• Mails
• Browsers
• FTP
• Backups
• Password Managers
• SSH credentials

Subsequently, it would perform the network tasks, among which we see how it moves a
common and widely used string in Yaras for LokiBot detection:
DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW

After this, we would see the construction of the UserAgent also characteristic of this
Malware is Mozilla Charon Inferno

And the domain, which always follows a similar pattern, ending in .php. This domain
(T1071.001) is the one used for Command & Control (C&C).
http://<domain|IP>/path/<RandName>.php

29
We can see this pattern reflected in different samples:

Once it has all the information collected from the user, the computer, the UserAgent and
the address, it will create the connection to exfiltrate this data (T1041)

And, again, as we mentioned in Version 2, we would see again, the duplication of itself
in hidden (T1564.001), using the Roaming folder

30
Having ensured the creation of the connection, the data, and so on. We could already
see how the file would try to finish the request, this test was launched in a controlled
environment to avoid external requests.

After this last phase, the attacker would receive all the information stolen from the
computer and the user and, as we have mentioned throughout the document, depending
on the actor or campaign that is using this Malware, may use this data for tactical
advantages (espionage) as in the case of Machete or to extort their victims for profit or
to steal assets.
LokiBot, as we have already seen, has been in 2022 a fundamental weapon for several
groups, both this Malware as others dedicated to perform backdoors and / or information
theft are highly used in the field of espionage as they have a large evasion base that
allows it to persist in systems and remain hidden while obtaining sensitive information
from victims, so we can expect that the rest of this year as 2023 will continue to be used
by groups such as Machete.

31
 5. IOC

Hash:
1F0E6055BBA4D84CB255855E066F9EA721B7F3D2796670C8F54E0EE1700F6933
553543DC1A26A5C1F039A4723E7A130B94DC298DA8EFA1CB44A17526CE2C9C92
76F44EA3C148283602E4DBD717F22AC95828B7E8E7677428F759C03CAB0C8D49
66F27C057AE2E572446D6B26E0437711957AD7F9C19CD166D2274989A5506960
ACEDFAA9192AAE535A590B220D79D297199CF8DCE92E0FAC397128705EC40A89
5C7013C09A317ADE68A598ED801015FF48A85D9ADD902FA96C99AB0044A633F3
28FDE7574200CFFF7F2568DC6E8C735AF3CDE21309DAA5752367C7A1400F4622
F2AF472BCFF04B8724A7F34CE821366781D6E4D187EFD63EE2F22606F1FA21BA
2D7121BE69E95A2ACC1014789A1C3C9C7FC00993331D02EB0AB0D54EE8D3B289
5542FCE355F11EF173246F448AF15E949604A3D93C07B61E186F9D433623E8A5
9379205D31D2DC52230C2A39571A363856B53A609D5F79BEA0E2F3F4ADE473C4
5282D85213C0913E46E1FCA68EF35408ED568A4CC371CD637ECBEB79863756CE
99F53E1AC0B679E18C434063300C506C88EA9702A7E77C342CF10B03341E7641
1A3BBF6F2ABFA4DC657A51EEDF5FA2D6CEF29C9461520990DEB36B97614EB2CF
702A898F99FDCF56D29F5A9D4C54794C09880F7B000488A1F9F4C2259E520BEE
C4C6068B86FCDF0F5EBE83A9D114BC16F2F5FD9BAA4D056036954BDF06061004
1B26EF115B65A06537BDAE7476FC08B8724760140FC683CBC3669EA3DEB5581F
E9587192EAFDC1E8DF9BCF41188482001FEC2ABDF220724E3421F7CCB210F1AA
4C7CE63CD966E72E5D94F6DC8B0F82CEC35B88B1A8D24305C52A7106CDAD5AD9
FA507820DCCC5E1445A137CE231BB77EEA9827B5946013CE28122495184DEF0D
A85674AE37EE05418C755E06EA117AE6538EF6CEAC2D1F17E1C1CB98BDC52A46
72C685CB7B3CB302CE7DE467CB0E5068423315BC2A6E5F85FA82EAB05BAE7071
1FA317B9977F8CE780C1BB39567347D233F87646997F55FD6DE16C306FBD44E1
D7A88D2806270F681EE98030DE00C8BED6D96826D2A7BA927669482096BE25FB
93A317A5F290DB61EFB5033014E0933A944781482826D4972D0CED23779C8580
0561EF4A843C01976285CFB6C8AAB634B17957C4C7662E3C40D02D18FF4C1F0B
1568DAE901BB13790A6B59C3BC16940B9C4312927D48B47116780CE9B562DAFF
3A1E7F67F7C9EFF58B0F0B8ED15150D21BB9869CCEC4C8EAA6C090782EF0059D
0A83A0739E56D54DCF9195C0E196D35327A982DA47205C42E62051BBA8D21A1E
D1D4DE00EEC1F8A48173B341EEB3530BA4F12538D1A112CDCD94EA63A8954D6E
253064A458B2827F7104559B04534BE6BA0156EF2094FD20FA09545FE05F9564
8587AA68C6D1E91713A9121A286B66844E045DAD68EA789AE08803D3FDFACCF5
18E48935D6983040DEDDCF33658A53E4B02799C03E45CB6D8AAE3FCB356009E0
F11EE6222BC510E8CCB2B73C44180915C013EC2AF37BFA34825D8A82DF48A7D9

Domain:
boatshowradio[.]com
shopget24[.]com
parkingcrew[.]net
ww1[.]rederatural[.]com
ww1[.]amznamzn[.]com
ww1[.]tsx[.]org
ww1[.]generalsearches[.]com
ww1[.]usabank[.]com
ww1[.]virustoal[.]com
ww1[.]survey-smiles[.]com
millsmiltinon[.]com
nilemixitupd[.]biz[.]pl
allprivatekeys[.]com
auth[.]trinityseal[.]me
celeb[.]gate[.]cc
ttconf[.]pw
qgis[.]org
blueeyeswebsite[.]com
vb[.]3dlat[.]com

32
freeadultvideos[.]cc
Fuckav[.]ru
Sempresim[.]su
Aboasu[.]xyz
msdvc[.]com
terrazzaitaliana[.]mx
bridgesfoundationrepair[.]com
www[.]alertsecurities[.]in
protechasia[.]com
alongsidecoach[.]com
farhaani[.]com
www[.]lieebherr[.]com
css[.]developmyredflag[.]top
qxq[.]ddns[.]net
babaseoa[.]com
leansupremegarcinia[.]net
celebration-studio[.]com
booking[.]msg[.]bluhotels[.]com
www[.]tenorshare[.]com
proxyfreaks[.]com
office-archive-index[.]com
vladisfoxlink[.]ru
officeupgrade[.]org
grab-indonesia[.]com
pool[.]ug

IP:
185.53.179.29
172.67.178.39
204.11.56.48
79.124.8.8
192.168.100.27
176.123.0.55
45.133.200.3
162.222.226.194
209.99.40.222
119.235.250.52
198.54.114.236
77.222.62.31
72.52.179.174
104.18.43.10
207.55.248.17
192.169.69.25
185.55.227.103
173.239.8.164
111.118.212.120
31.220.40.22
45.133.1.20
45.133.1.45
20.106.232.4
198.187.30.47
62.197.136.176
37.0.11.227
107.173.229.131
181.214.31.161
89.38.241.83
103.21.59.27
192.124.249.18
107.180.55.15
195.191.148.105
23.253.46.64
66.96.149.17
111.90.156.65
103.253.212.80

33
103.83.81.68
204.93.174.136
192.168.100.211

34
 6. MITRE

Tactics:
TA0001 Initial Access
TA0002 Execution
TA0003 Persistence
TA0005 Defense Evasion
TA0006 Credential Access
TA0007 Discovery
TA0009 Collection
TA0011 Exfiltration
TA0011 Command and Control

Techniques:
T1106 Native API
T1203 Exploitation for Client Execution
T1134 Access Token Manipulation
T1055 Process Injection
T1140 Deobfuscate/Decode Files or Information
T1027 Obfuscated Files or Information
T1003 OS Credential Dumping
T1134 Access Token Manipulation
T1218 System Binary Proxy Execution
T1497 Virtualization/Sandbox Evasion
T1036 Masquerading
T1082 System Information Discovery
T1012 Query Registry
T1518 Software Discovery
T1059 Command and Scripting Interpreter
T1087 Account Discovery
T1083 File and Directory Discovery
T1082 System Information Discovery
T1033 System Owner/User Discovery
T1560 Archive Collected Data
T1217 Browser Bookmark Discovery
T1185 Browser Session Hijacking
T1005 Data from Local System
T1592 Gather Victim Host Information
T1114 Email Collection
T1555 Credentials from Password Stores
T1105 Ingress Tool Transfer
T1095 Non-Application Layer Protocol
T1573 Encrypted Channel
T1071 Application Layer Protocol
T1041 Exfiltration Over C2 Channel

T1566.002 Phishing: Spearphishing Link

T1137.001 Office Application Startup: Office Template Macros
T1059.001 Command and Scripting Interpreter: PowerShell
T1074.001 Data Staged: Local Data Staging
T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
T1552.001 Unsecured Credentials: Credentials in Files
T1552.002 Unsecured Credentials: Credentials in Registry
T1555.003 Credentials from Password Stores: Credentials from Web Browsers
T1564.001 Hide Artifacts: Hidden Files and Directories

35
 Thanks for Reading! Happy Hunting :)

36