Exploited to Deliver a Cracked Version of the Loki Infostealer[source: trendmicro]
by CIRT Team
The Cobalt hacking group was one of the first to promptly and actively exploit CVE-2017-11882(patched last November) in their cybercriminal campaigns. We uncovered several others following suit in early December, delivering a plethora of threats that included Pony/FAREIT, FormBook, ZBOT, and Ursnif. Another stood out to us: a recent campaign that used the same vulnerability to install a “cracked” version of the information-stealing Loki.
Sold in hacking forums as a password and cryptocurrency wallet stealer, Loki can harvest data from File Transfer Protocol (FTP) clients (i.e., Filezilla), web browsers such as Firefox, Chrome and Safari, and email clients such as Outlook and Thunderbird. It can also pilfer from IT administration tools like PuTTY, a terminal emulator, system console, and network file transfer application. Loki also serves as a malware loader that can record keystrokes.
The use of a pirated malware builder shows how there’s no honor among thieves. Perhaps it was the operators’ cost-saving tactic—a lifetime license for the cracked version, for instance, costs between $60 and $100 in hacking forums. The original service costs between $250 and $450. Buyers need to pay more if they need additional functionalities (like Bitcoin wallet theft) or other services like domain/IP address change.
For more, click here.