Cybercriminals have been leveraging known vulnerabilities in Microsoft Word documents as phishing baits to deliver a dangerous malware called LokiBot onto compromised systems.
LokiBot, also known as Loki PWS, has been an established information-stealing Trojan since 2015, primarily targeting Windows systems to gather sensitive information from infected machines, according to Cara Lin, a researcher at Fortinet FortiGuard Labs.
The campaign, identified by the cybersecurity company in May 2023, capitalizes on the CVE-2021-40444 and CVE-2022-30190 (aka Follina) vulnerabilities to execute code.
In the weaponized Word document exploiting CVE-2021-40444, an embedded external GoFile link within an XML file leads to the download of an HTML file, which then utilizes Follina to retrieve a next-stage payload. This payload consists of an injector module written in Visual Basic that decrypts and launches LokiBot.
The injector module employs evasion techniques to check for the presence of debuggers and to determine if it’s running within a virtualized environment.
An alternative chain of attack discovered in late May involves a Word document with an embedded VBA script that executes a macro immediately upon opening the document using the “Auto_Open” and “Document_Open” functions.
The macro script acts as a conduit to deliver an interim payload from a remote server, which functions as an injector to load LokiBot and establish a connection with a command-and-control (C2) server.
LokiBot, distinct from an Android banking trojan with the same name, possesses capabilities such as keystroke logging, capturing screenshots, gathering login credentials from web browsers, and extracting data from various cryptocurrency wallets.
Lin emphasizes that LokiBot is a persistent and widespread malware that has evolved over the years, enabling cybercriminals to effortlessly exploit it for stealing sensitive data. The attackers behind LokiBot continually update their initial access methods, ensuring their malware campaign finds more efficient ways to propagate and infect systems.
The discovery of these tactics underscores the importance of robust security measures and user vigilance to protect against the growing threat landscape posed by malware and the exploitation of software vulnerabilities.