The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency today issued an alert on the increased spread of LokiBot, a form of malware designed to steal confidential information.

LokiBot was discovered in 2016, but it’s the increased detection rate since July that has authorities concerned. Various forms of the malware, offered as open source on the dark web and is available for both Android and Windows, have been spotted using CISA’s EINSTEIN automated intrusion detection system.

“Throughout this period, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected persistent malicious LokiBot activity,” CISA said in the advisory. “LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases.”

Across the various LokiBot variants, typical versions include Trojan functionality, which is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets and other credentials. Typically included is keylogger functionality to monitor browser and desktop activity. The malware can also create a backdoor to allow an attacker to install additional payloads.

Once access is gained, those behind the LokiBot attacks typically use victim’s personal computers and Android devices to distribute the malware further via email, malicious websites, text and other private messages.

CISA is advising government agencies and departments along with private sector users to apply best practices to strengthen their security postures.

“The recent advisory on the LokiBot malware is another indication of how malware authors have turned their malicious activities into a scalable business model,” Saryu Nayyar, chief executive officer of security firm Gurucul Solutions Pvt Ltd., told SiliconANGLE. “The fact that LokiBot has been around for over four years and has gained in capability over time is a reflection of how much malicious actors have advanced the state of their art, leveraging the same development models we use in the commercial space:”

Mark Bagley, vice president of product at security optimization platform provider AttackIQ Inc,. noted that the increase of LokiBot malware incidents shines a light on why organizations should take a proactive approach to testing and validating their security controls.

“Understanding common adversary tactics, techniques and procedures, as outlined by the MITRE ATT&CK framework, allows organizations to protect what matters most to them, their ability to operate,” Bagley said. “Doing this on an automated, ongoing basis is crucial to informing an organization’s defenders about the state of the security program, as well as supporting the goal of continuous improvement.”

Photo: Gage Skidmore/Flickr