Cybercriminals Exploit Microsoft Word Vulnerability to Spread LokiBot Malware
The Microsoft Word document exploits a known remote code execution flaw to be used as phishing bait to drop malware called LokiBot on compromised systems.
“LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015,” Fortinet FortiGuard Labs researcher Cara Lin said. “It primarily targets Windows systems and aims to collect sensitive information from infected machines.”
The cybersecurity firm, which saw the campaign in May 2023, said the attack leveraged CVE-2021-40444 and CVE-2022-30190 (aka Follina) to achieve code execution.
The Word file arming CVE-2021-40444 contains an external GoFile link embedded in an XML file that leads to the download of the HTML file, which exploits Follina to download the next stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot.
The injector also features an evasion technique to check for the presence of a debugger and determine if it is running in a virtualized environment.
An alternative chain found towards the end of May started with a Word document that incorporates VBA scripts that execute macros immediately after opening the document using the “Auto Open” and “Open Document” functions.
The macro script then acts as a conduit for delivering temporary payloads from remote servers, which also serve as injectors for loading LokiBot and connecting to the command-and-control (C2) server.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
LokiBotdon’t get confused with an Android banking Trojan of the same name, comes with the ability to log keystrokes, capture screenshots, collect login credentials from web browsers, and siphon data from various cryptocurrency wallets.
“LokiBot is an old and widespread malware that was active for years,” said Lin. “Its functionality has matured over time, making it easy for cybercriminals to use it to steal sensitive data from victims. The attackers behind LokiBot are constantly updating their initial access method, allowing their malware campaigns to find more efficient ways to spread and infect systems.”
