LokiLocker Ransom Code Execution
LokiLocker looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vulnerable DLL to execute our own code, control and terminate the malware pre-encryption. The exploit DLL will check if the current directory is “C:WindowsSystem32” and if not we grab our process ID and terminate. We do not need to rely on a hash signature or third-party product as the malware will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there is nothing to kill the DLL that just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.
Post a reply
You must be logged in to post a comment.