In late June 2017, Wapack Labs identified a malicious email targeting Ukrainian Financial Institutions (FI) to deliver a credential stealing malware called Loki Bot. This incident happened at the same time as the Petya/NotPetya Ransomware outbreak, which also targeted Ukrainian banking infrastructure. Possibly due to the confusion generated during the initial Petya/NotPetya outbreak, Loki Bot samples and C2s were reported as being Petya/NotPetya ransomware. Further confusion resulted when Anti-virus (AV) detections began identifying Loki Bot as Petya/NotPetya. Loki Bot is sold in underground Tor marketplaces and can steal passwords from browsers, File Transfer Protocol (FTP) applications, email accounts, and crypto-coin wallets. This report discusses the misattribution of Loki Bot, along with technical details of analyzed Loki Bot samples…Get the full report here.
Wapack Labs has cataloged and reported extensively on Loki Bot, and Loki RAT, in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
