A Microsoft Word document exploiting a known remote code execution flaw has been used as a phishing lure to drop the following malware: lokibot About compromised systems.
“LokiBot, also known as Loki PWS, is a well-known information-stealing Trojan that has been around since 2015,” said Cara Lin, a researcher at Fortinet FortiGuard Labs. “It primarily targets her Windows system and aims to collect sensitive information from the infected machine.”
The cybersecurity firm that discovered the campaign in May 2023 said the attack leverages CVE-2021-40444 and CVE-2022-30190 (also known as Follina) to execute code.
The Word file weaponizing CVE-2021-40444 has an external GoFile link embedded within the XML file leading to the download of the HTML file. This link exploits Follina to download the next stage payload, an injector module written in Visual Basic that decrypts. Then launch LokiBot.
The injector also has an evasive technique that checks for the presence of a debugger and determines if it is running in a virtualized environment.
The alternate chain, discovered around the end of May, begins with a Word document that embeds a VBA script that runs a macro as soon as the document is opened using the “Auto_Open” and “Document_Open” functions.
The macro script then acts as a conduit to deliver an interim payload from a remote server and also as an injector that loads LokiBot and connects to a command and control (C2) server.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
LokiBot should not be confused with the Android banking Trojan of the same name. It has the ability to record keystrokes, capture screenshots, collect login credentials from web browsers, siphon data from various cryptocurrency wallets, and much more.
“LokiBot is a long-standing and widespread malware,” said Lin. “Its functionality has matured over time, making it easy for cybercriminals to use to steal sensitive data from victims. Because we’re updating, malware campaigns can find more efficient ways to spread and infect systems.”
