LokiBot is a popular malware that keeps getting updated with new features and capabilities. The latest update brings in a major feature that allows it to become more undetectable and stealthy.

The new feature is the ability to hide the source code of the malware inside files. This technique of hiding codes in other file formats is known as steganography and it is not limited to just image files and can be done on a variety of other file formats. While steganography can be used for a lot of constructive purposes like hiding ownership identification data to prove custody, using it in malware can result in undesirable results.

According to the researchers at Trend Micro, it has been known that LokiBot malware was used in emails. The attachments in the email had the normal .doc format. But, it turns out the file was actually in Excel and .json format which led to VBS macro code execution that was embedded in the worksheet. Trend Micro has given a pictorial representation of the flow of the process which you can see below.

Lokibot-steganography

Upon further investigation on files flagged on VirusTotal, they were able to identify LokiBot’s source code on an image of popular Australian singer Sia.

As one of the most active information stealers in the wild today, LokiBot shows no signs of slowing down. The updates to its persistence and obfuscation mechanisms show that LokiBot is still being updated and will likely remain a threat to be dealt with in the near future.”, remarks Trend Micro.

LokiBot has the potential to steal information from your PC, behave like a keylogger to track all your keystrokes or even establish backdoors in your system. Since malware is getting more powerful every day, we hope anti-malware companies catch up on actively detecting and blocking them without causing much impact.