Unholy trinity of AKBuilder, LokiBot and Betabot used in new malware campaigns

In recent weeks, SophosLabs has published papers outlining threats from AKBuilder and Betabot. Now, it appears the bad guys are combining the two in new attack campaigns.

SophosLabs principal researcher Gábor Szappanos said the lab has received and analyzed a handful of AKBuilder-generated documents in the past week. The documents initially drop a file that contains two payloads: one, the popular LokiBot credential stealer; the other, something that appears to be a version of Betabot. “We thought that Betabot was pretty much dead, with no activity in the past months – up until last week,” Szappanos said.

The malware and tools in question

Before looking at the new developments, a review of the malware is in order.

  • AKBuilder is an exploit kit that generates malicious Word documents, all in Rich Text. Once purchased, malicious actors use it to package malware samples into booby-trapped documents they can then spam out. SophosLabs has analyzed and defended customers against two versions – AK-1, which uses two exploits in the same document: CVE-2012-0158 and CVE-2014-1761, and AK-2, which uses a single exploit: CVE-2015-1641.
  • LokiBot is commonly found along with malware called Upatre. The Upatre component is typically delivered in bulk, via spam, and then used to install the banking Trojan on infected computers.
  • Betabot is a malware family used to hijack computers and force them to join botnets. It has been used to steal passwords and banking information, and has most recently been used in ransomware campaigns. Betabot has been around for a long time. Its code is easy to duplicate and attackers have turned to a cracked builder to produce it on the cheap.

The three converge

Szappanos shared his findings with Naked Security Wednesday morning. He said the malware is delivered in email messages like this:


And this:


The attachment of the messages are Rich Text Format documents generated by AKBuilder. These documents drop the additional malware components. Here’s some basic information about the documents:

First seen Dropper SHA1 Filename
20/02/2017 757dfe8e61f96d470da70235dc8c0e3dc9567339 po866377.doc
20/02/2017 eaf2f7bbc5fddd19f8414eccfc81bc1af6500311 UAE-INQUIRy.doc
23/02/2017 6aecb37db36c89829cfcbcc458383bbbd218a598 Quotation-Needed.doc
22/02/2017 79fa30f9031b6f0a6ab7d2606d76538657921a51 po866377.doc
22/02/2017 905d8f63f39a32ec3cfe26c821267c22cf32b828 Quotation required.doc
22/02/2017 c56b2ec03dcb1c58744592f73f0a6e103aa9cbed Order_Al Amani Automotech LLC.220217.doc
22/02/2017 cfd7cb2b88b26a48d6c033d5626689fc313d0cf4 United Energy Co.doc


The exploited documents drop two files, which are two different Trojans:

%USERHOME%\AppData\Roaming\win32.exe :LokiBot credential stealer

%USERHOME%\AppData\Local\Temp\nbot.exe :Betabot/Neurevt Trojan

Dyzap is executed automatically on startup by %STARTUP%\win32.vbs

The C&C addresses were used by LokiBot to send credentials to:






The malware submits stolen info to a php script on the server, the name of which is fre.php by default

The login of the C&C panel looks like this:


The builder of LokiBot (at least a cracked version) looks like this:


Defensive measures

Since Betabot has most recently been used to serve up ransomware, a reminder of our tips on that front should be useful:

To protect against AKBuilder activities, simply applying recent patches for Microsoft Office should be enough to disarm the attack.