The data harvesting malware Lokibot has again been upgraded by its creators, this time to impersonate a popular online game launcher in order to trick victims into mistakenly downloading the malware.
Trend Micro researchers say Lokibot now presents itself as an installer of the Epic Games store. The threat actors used Nullsoft Scriptable Install System (NSIS) installer authoring tool along with the Epic Games logo to create the scam file. Epic is the publisher of the immensely popular Fortnite game.
Once the victim downloads the fake installer two file are dropped on to the machine: a C# source code file and a .NET executable in the “%AppData% directory”. The last stage sees Lokibot downloaded and installed and it goes to work swiping the targeted data.
Prior to this latest advance Lokibot had been upgraded to usecampaign that exploits a remote code execution vulnerability to deliver the malware using the Windows Installer service and a variant with an improved persistence mechanism using steganography.
All these changes indicate to Trend Micro that the actors behind Lokibot have no intention of moving beyond this particular malware and that more changes and infections can be expected.