Security Now
Security is top-of-mind, especially right here where Juniper experts share their insights on the latest security trends and breakthroughs
Latest Articles
Effective Microsegmentation in VMware NSX deployments with Juniper SDSN

Effective Microsegmentation in VMware NSX deployments with Juniper SDSN

Data centers using Juniper Networks vSRX Virtual Firewall and Junos Space Security Director with Policy Enforcer in combination with VMware’s NSX platform can microsegment intra-data center traffic to effectively defend applications and systems against threat propagation in both north-south and east-west traffic.


Juniper Employee
GDPR and the Information Lifecycle

GDPR and the Information Lifecycle







I’m keen to change the perception that GDPR (General Data Protection Regulation) will act as a drag on organizations. I also want to avoid others falling into the trap of thinking the only inducement for an organization to comply is to avoid a fine. But before I attempt this, I’m going to briefly stray into another passion of mine; cars – just to make a point.


Juniper Employee
Leverage the Entire Network for Lateral Threat Remediation

Leverage the Entire Network for Lateral Threat Remediation

Today’s dynamic business environment requires organizations to defend themselves against increasingly sophisticated cybersecurity attacks powered by advanced threat intelligence and enforcement capabilities. That demands a comprehensive security platform that ties together and coordinates various threat analytics platforms, as well as a simpler policy mechanism.  Most important, you must be able to leverage the entire network—not just the perimeter—as a threat detection and enforcement tool.


Juniper Employee
So many things, so little security

So many things, so little security

As the "Internet of Things (IoT)" phenomenon is catching on in a big way, I wanted to quickly capture the state of affairs of IoT in the context of security and how different Juniper technologies can help provide security to IoT infrastructure as well as protect other enterprise infrastructure from IoT devices


Juniper Employee
A look into LokiBot infostealer

A look into LokiBot infostealer


We recently detected a Lokibot sample that was delivered as an email attachment to one of our customers in the healthcare vertical. Below is the technical analysis of the sample.


LokiBot is an infostealer that is known to steal various kinds of data like ftp credentials, email clients passwords, passwords stored in the browser, etc. Lokibot is distributed in phishing emails and known to exfiltrate data using the POST method over http.


Indicators of Compromise

  • iso file :
    • Md5: 17c9e6f0df7557962d6bc90a891693d9
    • Sha1: 2ee42a051823b4e1bc0ed643c0b15843cce7c056
  • filename: Proforma Invoice pdf.exe

    • Md5: 66837f4f5ee989a119eb7dcd8c5425b3
    • Sha1: 76a5919be86a7035fa6766d01a26094c49a30078
  • Unpacked:
    • Md5: 9335ce514bbdd9d146f30970569be44f
    • Sha1: 06aacbc54f93afcf29e3ee7966e236d7d9b98e60
  • .hdb file found in appdata
  • Connects to URLs that end with fre.php

Technical Analysis

The file is packed with a VB-compiled packer which usually makes the reversing tougher.

Additionally,  this sample uses anti-debug techniques and runpe which makes it harder to reverse engineer.


The obfuscated code decrypts to a virtually allocated memory by pushing to stack and then popping and xoring the data:


Fig: Obfuscated code in the file


The obfuscated code is copied to memory using a sequence of push and pop created in reverse order.The content can be decrypted with the xor key  0x5BD09268.


Fig: Decryption loop



The malware then jumps to the decrypted code. First it checks for anti-debug techniques. If a debugger present it jumps to a code which throws an exception.


Fig:Checks BeingDebugged falg in PEB


Sandbox detection code:

The above code detects a sandbox by saving the CurCursorPos then sleeping for a second and then comparing the cursor position to its previously known location. If it is the same, the malware throws an exception.


Fig: sandbox Detection


Other anti-debug checks


Fig: Checks for NtGlobalFlag in PEB for debugger detection


When satisfied it is not being monitored, the malware uses process hollowing to inject a payload into its own newly created suspended process.


Unpacked sample:

After unpacking, we can identify a lot of strings in the malware. The malware strings look similar to the strings observed in LokiBot.


The malware checks for the presence for various configs, settings files for ftp, browsers, email clients with hopes it can steal their credentials.


 Fig:Reads config files of of various softwares in loop



Fig:config files of various softwares



Fig:List of FTP files



Fig: malware reads config files of Secure FTP Expert


A .hdb is created in appdata folder which indicates the presence of lokiBot . This file seems to be some kind of database used by the malware. This can be used as IOC for LokiBot.



LokiBot is known to compress this data before sending it to the CnC server.

The malware uses an http POST method to send the stolen data to the CnC server.


Fig: LokiBot sends data to CnC server



The sample connects to following URL and sends the stolen data:[.]php

These C&C URLs usually end with fre.php

Here are a few more URLs used for the same purpose, discovered by other security vendors



Both Juniper Sky ATP and Cyphort(now a Juniper company) on-prem solutions detect this threat as seen in the screenshots below:






Data - Valuable Asset or Business Risk?

Data - Valuable Asset or Business Risk?


Commerce is built on the concept of the value chain. The notion that you can take something of relatively little worth and, through various processes, increase its value is fundamental to a sustainable global economy. And, in the early part of the 21st century, it is “data” that gives rise to perhaps the most significant contemporary value chain of all.


Juniper Employee
Top Kudoed Authors
Latest Comments
networkingnow | 11-10-2017
Re: A look into LokiBot infostealer
networkingnow | 11-10-2017
Re: Managing Enterprise Security
networkingnow | 11-08-2017
Re: Introducing the Juniper Networks App for Splunk - Now Available in Splunkbase