Sunday, December 3, 2023

Beware: Dangerous Android Ransomware “LOKIBOT” Attacked Many Users & Earned $1.5Million From Compromised Victims

Dangerous Android Banking Trojan “LOKIBOT” has distributed around the world with sophisticated Ransomware future and demanding around $70 and $100 from compromised victims.

Based on the BTC Address that has been used in source code, this Ransomware already infected many victims and earned more than $1.5 Million around the world.

It uses  Phishing overlay attack with many Banking apps and other most papular apps such as  Skype, Outlook and WhatsApp and activated when victims disable the administrative rights of the malware or try to uninstall it.

This Ransomware also sold as a kid with full license cost including updates costs $2000 in BTC.

How Does This Android Ransomware Works

Lokibot Ransomware Designed to work on 4.0 and higher android versions and also have the capability to steal the victim’s contact information also it has the ability to read and send the SMS.

Its provide a special Command to spam all the compromised victim’s contacts to spreading the Malware variant.

According to SfyLabs , LokiBot also has some more unique features. For one it has the ability to start the victim’s browser app and open a given web page. Additionally, it implements SOCKS5, can automatically reply to SMS messages and it can start a user’s banking application.

Later Lokibot will show the notification that comes from other apps which contain the information that new funds have transferred to your bank account and its impersonate as an original icon of the application.

Later the phone is made to vibrate right before the notification is shown so the victim will take notice of it. When the notification is tapped it will trigger an overlay attack.

After this infection, Victims will infect by the Ransomware if the infected victims will try to remove LokiBot from the infected device by revoking its administrative rights.

At this Final stage of infection,  it starts searching for all files and directories in the primary shared or external storage directory (traditionally the SD card) and encrypts them using AES.

The key is generated randomly under default AES/ECB/PKCS5 padding and 128-bit key size and finally demand to pay Bitcoins to decrypt your files.

If Encryption part fails for some reasons still the screen locker works and will lock the victim’s screen using the administrative permissions it has gained from the user when the malware was first started.

Later a  threat is then shown on the screen as “Your phone is locked for viewing child pornography.” The payment amount varies between $70 and $100. The Bitcoin addresses of LokiBot are hardcoded in the APK and can’t be updated from C2 server.

Since early this summer we have seen at least 30 to 40 samples with bot counts varying between 100 to 2000 bots. We believe that the actors behind LokiBot are successful, based on their BTC traffic and regular bot updates. syfLabs said.






Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles