It turns out that most samples of the LokiBot malware being distributed in the wild are modified versions of the original sample, a security researcher has learned.
Targeting users since 2015, LokiBot is a password and cryptocoin-wallet stealer that can harvest credentials from a variety of popular web browsers, FTP, poker and email clients, as well as IT administration tools such as PuTTY.
The original LokiBot malware was developed and sold by online alias "lokistov," a.k.a. "Carter," on multiple underground hacking forums for up to $300, but later some other hackers on the dark web also started selling same malware for a lesser price (as low as $80).
It was believed that the source code for LokiBot was leaked which might have allowed others to compile their own versions of the stealer.
However, a researcher who goes by alias "d00rt" on Twitter
found that someone made little changes (patching) in the original LokiBot sample, without having access to its source code, which let other hackers define their own custom domains for receiving the stolen data.
[...]
Most LokiBot samples in the wild are "hijacked" versions of the original malware
