Security experts discovered LokiBot, a trojan malware, has been impersonating a popular game launcher. As a result, cybercriminals are able to trick users into downloading the fake app and executing the malware on their systems.
According to Trend Micro researcher analysis of a sample variant, LokiBot “employs a quirky, installation routine that involves dropping a compiled C# code file.”
To add, Trend Micro said the LokiBot variant uses a “compile after delivery” detection evasion technique.
In short, the infected file is disguised as the installer of the Epic Games store. The fake installer was also developed with a script-driven installer authoring tool NSIS (Nullsoft Scriptable Install System).
As part of the cyber campaign, the NSIS Windows installer used the Epic Games logo in order to trick victims into thinking it was the real installer. As many gamers are aware, Epic Games is the company that develops the popular Fortnite game.
Once executed, LokiBot malware installer will drop a C# source code file a .NET executable. The latter is installed in the “%AppData% directory” of the victim’s system.
Early in 2018, Trend Micro also spotted attackers exploiting a previously patched Windows vulnerability (CVE-2017-11882) by abusing the Windows Installer service, msiexec.exe, to deliver LokiBot malware.
To learn more about the LokiBot threat and technical analysis, read the full Trend Micro report here.