Known vulnerabilities in Microsoft Word are now being exploited by cybercriminals as phishing traps to deliver the malicious LokiBot on compromised systems.
“LokiBot, also referred to as Loki PWS, is a notorious information-stealing Trojan, which has been on the radar since 2015,” says Cara Lin from Fortinet FortiGuard Labs. “Its primary targets are Windows systems with an intention to extract sensitive data from infected devices.”
The cyber security firm, having discovered the campaign in May 2023, reports that these attacks are leveraging CVE-2021-40444 and CVE-2022-30190 (Follina) vulnerabilities to execute their malicious code.
The manipulated Word file, capitalizing on CVE-2021-40444, includes an external GoFile link embedded within an XML file. This triggers the download of an HTML file, exploiting Follina, which in turn downloads the second-stage payload, a Visual Basic crafted injector module that decrypts and launches LokiBot. This injector is also equipped with evasion mechanisms to detect debuggers and recognize virtualized environments.
Another infection chain discovered later in May begins with a Word document embedded with a VBA script that triggers a macro as soon as the document is opened, utilizing the “Auto_Open” and “Document_Open” functions. This macro script then serves as a pathway to fetch an intermediate payload from a remote server, which functions as an injector to load LokiBot and connect to a command-and-control (C2) server.
LokiBot, not to be mistaken for a similarly-named Android banking trojan, has abilities to log keystrokes, capture screenshots, collect login credential data from web browsers, and extract data from various cryptocurrency wallets.
“LokiBot has been a persistent and widespread malware for many years,” Lin mentioned. “Its functionalities have evolved over time, making it an easy tool for cybercriminals to steal sensitive data from victims. The cybercriminals operating LokiBot consistently innovate their initial access methods, enabling their malware campaign to discover more effective ways to disseminate and infect systems.”
Cybersecurity is a critical aspect for any organization in today’s digital era. At Info System Consultants, we are committed to keeping you safe from such threats. It’s time to reinforce your digital defenses. Contact us today to discuss a personalized security strategy for your organization. Stay informed, stay safe!