Lokibot C2 Panel b5463607

Detects the Lokibot stealer C2 panel page.

Uses a combination of various unique characteristics of the page design to detect it.

References

https://tracker.viriback.com
https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-266a
https://urlscan.io/result/b5463607-2836-4966-a92d-bf73bf964593

IOK Rule (edit)

title: Lokibot C2 Panel b5463607
description: | 
  Detects the `Lokibot` stealer C2 panel page. 

  Uses a combination of various unique characteristics
  of the page design to detect it.

references: 
  - https://tracker.viriback.com
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-266a
  - https://urlscan.io/result/b5463607-2836-4966-a92d-bf73bf964593

detection: 

  inputFieldNames: 
    html|contains|all:  
      - 'iP'
      - 'iU'
    
  backgroundColor:
    html|contains: '#5466da'
    
  loginFormID:
    html|contains: 'login_'

  pageTitle: 
    html|contains: 'Auth' 

  condition: inputFieldNames and pageTitle and backgroundColor and loginFormID


tags: 
  - malware.lokibot
  - malware