The data
harvesting malware Lokibot has again been upgraded by its creators, this time
to impersonate a popular online game launcher in order to trick victims into
mistakenly downloading the malware.

Trend Micro researchers
say Lokibot now presents itself as an installer of the Epic Games store. The
threat actors used Nullsoft Scriptable Install System (NSIS) installer
authoring tool along with the Epic Games logo to create the scam file. Epic is
the publisher of the immensely popular Fortnite game.

Once the
victim downloads the fake installer two file are dropped on to the machine: a
C# source code file and a .NET executable in the “%AppData% directory”. The
last stage sees Lokibot downloaded and installed and it goes to work swiping the
targeted data.

Prior to
this latest advance Lokibot had been upgraded to usecampaign that exploits a
remote code execution vulnerability to deliver the malware using the Windows
Installer service and a variant with an improved persistence mechanism using

All these
changes indicate to Trend Micro that the actors behind Lokibot have no intention
of moving beyond this particular malware and that more changes and infections
can be expected.