X-Industry

Loki's Underground Evolution

Summary

Loki is a very popular bot/stealer malware which has been for sale in the underground since 2015.  In 2017, two hackers from the Russian hacking forum fuckav.ru cracked Loki and released a cracked builder.  Once the cracked builder was released new unofficial versions of Loki were found for sale in novice English speaking forums for less than the original version. 


This report provides details on the following Loki variants:

  • Loki 1.6 & 2.0 by Carter
  • Loki 1.7 (1.6 Cracked) by Abbat-v & Hdsckr for FuckAv.ru
  • Loki 2.1 (Incomplete) by Carter

 

Background

Figure 1: Earliest Loki sales thread found in the underground 03/05/2015

From 2015 to 2017, a malware developer with an on-line alias Lokistov, aka: ”Carter,” created the LokiBot malware.   Carter’s Loki was one of the most popular bots at only $300.00 for the basic stealer setup.  For an additional $200.00 a user could purchase a loader module and $150.00 for a wallet stealer (cryptocurrency) module, with an optional $20.00 fee for a coin inspector.  In 2017, two hackers from the community FuckAv.ru created a cracked Loki builder based on Carter’s Loki 1.6.  A few unauthorized re-sellers then used this builder to create their own custom ”Loki 1.8” without Carter’s approval.  Loki 1.8 was sold in novice forums.  Carter then released Loki 2.0 with minor improvements in attempt to regain control of the market.  This attempt received zero public interest (2.0 new version below):

Carter sold Loki 2.0’s source code to Morfiusss for $3,000.00, likely to make up for a lack of sales.  Morfiusss then leaked the source code in July 2018, stating they paid Carter $3,000.00 for it.

Figure 2: Morfiusss bought Loki source for $3k and posted for free July 24, 2018

November 2018, Carter posted a Loki 2.1 version.  In January 2019, a user complained that they bought Loki 2.1 and it did not work.  Carter made attempts to comment on this complaint through one of his alternate accounts, Tarzan.  Carter was pretending to be a buyer, but was instead exposed and subsequently banned.[1]  Carter is also banned on several other forums for the new Loki bot’s inability to communicate with the panel.

Loki Timeline:

  • 6 & 2.0 by Carter (2015 – 2017)
  • 8 Cracked by Abbat-v & Hdsckr for FuckAv.ru (2017)
  • Loki 2.0 source code leak by Morfiusss (2018)
  • Loki 2.1 Carter broken Loki (2018)

 

Conclusion

Loki is a prolific example of a malware family’s evolution through its rise to popularity, being cracked, and then sold in novice underground forums.  Loki started with Lokistov/Carter, but was cracked and released to smaller unauthorized novice resellers.  This actually increased Loki’s popularity.  Because of the high number of Loki builders, Wapack Labs analysts believe Loki will remain popular until a better and free or cracked bot/loader is released.  One popular alternative to Loki is Smoke Loader.  This due to Smoke Loader’s cryptocurrency miner feature.  Loki’s loader could be used to install a miner, but that would require an attacker to also have a good miner payload.  The Snort and Yara rules provided in this report allow users to detect Loki in their network traffic and payload execution.

 

[1] See Meta Data Appendix

 

Indicators:

Indiator

Type

Kill_Chain_Phase

First_Seen

Last_Seen

Type

Attribution

http://178.162.132.136/SpArTAnLoKi/fre.php

IP

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://supplyexpert.ca/pic/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://pasamagroup.com/zdf/Panel/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://init-p01st.push.apple.com/bag

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://init-p01st.push.apple.com/bag

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://spacenews365.com/wp-admin/includes/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://theoldtimescomes.ru/sag/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://emnov.wfdblinds.com/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://nedlep.com/baby/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://172.245.190.20/medix/Panel/five/fre.php

IP

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://farmfit.ru/presh/Panel/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://185.165.29.24/cgi-binn/five/fre.php

IP

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://84.38.129.121/png/fre.php

IP

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://104.248.141.13/cleff/fre.php

IP

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://144.172.89.188/ml/tim-lok/panel/fre.php

IP

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://hush.oryx-mena.com/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://fifyempirebeauty.com/wordpress/wp-admin/css/colors/blue/Panel/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://panov.totaltilestore.ca/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://nedlep.com/bread/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://slacerhost.icu/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://solomoiter.us/lopter/lert56j/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://derek-heath.com/Sqldata/Panel/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://fpanty.ml/gata/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://inteco.net.ua/image/intreco1/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://zitzvi.gq/Ebuka1/New/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://strutitinca.ro/ftp/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://decvit.gq/O/annd2/cat.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://carnetizate.com.ve/Dope/Panel/five2/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://healthylifedesign.info/wp-content/uplp/Panel/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://butterweek1.cf/gata/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://qepxc.ml/9hsk/cat.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://uspdo.tk/five2/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://zitzvi.ga/my1/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://avebx.ga/5teph/cat.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://deeshawears.com/test/Panel/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://172.245.190.20/fossil/Panel/five/fre.php

IP

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://ofwo.website/default/Panel/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://tonov.wfdblinds.com/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://gamestoredownload.download/wp-contents/settingspa/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://irubix.ir/wp-includes/layout/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://init-p01st.push.apple.com/bag

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://149.255.35.114/logs/done/fre.php

IP

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://filmhd24.ru/wp-content/uploads/2019/02/css/log/Panel/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://atelierdodoce.com.br/components/comm/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://3.18.74.30/five/fre.php

IP

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://butterweek1.gq/gata/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://papa.chick.nyc/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://nchedo.tk/gata/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://al-hadin.com/Lok/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://login2x.tk//line4/Panel/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://giroserotas.com/media/cms/css/Panel/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://odelepupu.com/yes/Panel/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://wonderbooth.com.my/wp-admin/js/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://monnihost.icu/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://hush.wmag.ro/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://syngate.tk/base/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://onlineveriz.tk/wrdp/Panel/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://splitbiin.co/tuulz/roks2/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://innovationideabd.com/admin/Panel/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://perkorules.com/rokzee/kor4/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://outandabouterrandservice.com/dotest/Panel/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://loramyra.smrtp.ru/lok/five3/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://3.18.74.30/five/fre.php

IP

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://jaikhodiyargroup.com/css/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://lanky.baxishop.ro/Panel/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://tectrak.com.br/js/Panel/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://89.45.67.200/~atomictr/fre.php

IP

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://hushkush.net/ark/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://185.244.149.238/usiejde/ud83uend3/fre.php

IP

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://alfeb.sangiorgiostores.com/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://loramyra.smrtp.ru/lok/five9/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://lokiz.wesharetables.com/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://weltec.co.in/images/image/Panel/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://derek-heath.com/temp/Panel/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://themutualbenefits.com/avantcredit/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://campo.wmag.ro/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://outandabouterrandservice.com/plugins/quickicon/extensionupdate/Panel/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://whaleloqistics.com/stock/rok3/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

http://www.gtsworld.in/drop/five/fre.php

Domain

Delivery

03/27/2019

03/27/2019

Loki

FuckAv.ru Cracked Builder Payload

 

Appendix A – Yara Rules

rule LokiBot3DESKey

{

    meta:

        description = "Lokibot 3DES key and URLS"

        author = "d00rt"

        date = "2018-05-28"

    strings:

        $h1 = { 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 6A ?? 59 BE ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? F3 A5 6A ?? }

 

        $h2 = { A1 ?? ?? ?? ?? 8B CF 85 C0 6A 00 0F 45 C8 68 ?? ?? ?? ?? 6B C1 64 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 03 C1 50 E8 ?? ?? ?? ?? 59 50 A1 ?? ?? ?? ?? }

       

    condition:

        all of them

}

 

rule LokiBotPatch

{

    meta:

        description = "Lokibot Patch"

        author = "d00rt"

        date = "2018-05-28"

    strings:

        $h1 = { 55 8B EC 56 57 33 F6 56 56 68 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 8B ?? ?? 57 FF ?? ?? 56 6A ?? 56 FF ?? ?? FF D0 E9 ?? ?? ?? ?? 90 5F 8B C6 5E 5D C3 }

 

        $h2 = { 50 FF ?? ?? 89 ?? ?? FF ?? ?? FF ?? ?? FF ?? ?? E8 ?? ?? ?? ?? 83 ?? ?? 85 ?? 74 ?? 8D ?? ?? 50 56 FF ?? ?? E8 ?? ?? ?? ?? 83 C4 0C 85 C0 74 20 90 90 90 39 ?? ?? 74 ?? 50 56 E8 ?? ?? ?? ?? 56 8B ?? E8 ?? ?? ?? ?? 83 ?? ?? EB ?? }

       

    condition:

        all of them

}

 

rule FuckAV_loki

{

    meta:

        description = "Lokibot FuckAv.ru Builder"

        author = "jburke@wapacklabs.com"

        date = "2019-03-27"

    strings:

        $str1 = "aPLib v1.01"

        $str2 = "Fuckav.ru"

        $str3 = "ibsensoftware.com"

    condition:

        all of them

}

Appendix B – Snort Rules

EmergingThreats SID(s):

 

[1] https://doc.emergingthreats.net/bin/view/Main/2021641

[2] https://doc.emergingthreats.net/bin/view/Main/2024312

[3] https://doc.emergingthreats.net/bin/view/Main/2024313

[4] https://doc.emergingthreats.net/bin/view/Main/2024317

[5] https://doc.emergingthreats.net/bin/view/Main/2024318

 

Appendix C – Meta Data

Carter / Tarzan / Pavlov:

Figure 3: User creates a dispute thread against lokistov aka Carter which results in his and Tarzan's ban

Figure 4: A user doxes Carter/Lokistov and has all his alternate accounts banned

ICQ: 687034343

Email: madload@ymail.com

Jabber(s): carter@exploit.im ; carterloki@xmpp.jp ; carter@jabster.pl ; looneytunes@xmpp.jp ; tarzan2@exploit.im ; tarzan@exploit.im ; madloads@jabbim.cz

Abbat-v & Hdsckr Fuckav.ru Loki patcher/builder:

Figure 5: Loki 1.6 cracked for fuckav.ru and distributed on fuckav.ru

Figure 6: Madness DDoS botnet cracked builder by abbat-v and hdsckr distributed on fuckav.ru by the admin

Jabber(s) / E-Mail(s): abbat-v@mail.ru :

Figure 7. Goes by 3JIOU_KOTE on MPGH (Multiplayer Game Hacking forum)

Figure 8: Date of birth listed on a dating website’s leaked database indicating 23 years old

 

Figure 9.: Is a very active writing videogame hacks and bots

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance