Word vulnerabilities come to life in the hands of a revived LokiBot trojan

Cybersecurity experts from FortiGuard Labs revealed massive malware distribution campaign LokiBot (Loki P.W.S.). The threat is notable for exploiting two known vulnerabilities, including Follina.

The LokiBot Trojan has been in active use since 2015 and is specialized in stealing confidential information from computers running Windows.

During the investigation, a lot of malicious documents were found. Microsoft office. The investigation began with an analysis of two different types of Word documents, each of which poses a serious threat to users.

First document type contained an external link embedded in an XML file called “word/_rels/document.xml.rels”. In a detected Word document exploiting a vulnerability CVE-2021-40444 , a file named “document.xml.rels” was found. This file contained an external link that redirected the user to the GoFile cloud file sharing service via the Cuttly link shortening service.

Further analysis showed that link access initiated the download html-file using the second vulnerability CVE-2022-30190 (Follina). This payload downloads an injector file marked with a malicious URL-addresses.

Second document type used a VBA script that ran a malicious macro when the document was opened. This file was discovered at the end of May 2023. The script automatically ran when the document was opened and decrypted various arrays, saving them in a temporary folder called “DD.inf”.

In addition, another MSIL loader was discovered called “IMG_3360_103pdf.exe”, created on May 30, 2023. Although this file was not directly involved in the attack, it also downloaded LokiBot and connected to the same command and control server (C2server, C&C).

Chain of infection LokiBot

LokiBot is malware that continues to evolve and adapt, using new methods to infect computer systems more effectively. The Trojan uses a number of vulnerabilities and VBA macros, which makes LokiBot particularly dangerous in cyberspace.

LokiBot infects computers , and then searches locally installed applications and extracts logins and passwords from their internal databases. By default, LokiBot can attack browsers, email clients, FTP applications, and cryptocurrency wallets.

To protect against such threats, users should be especially careful when working with Office documents or unknown files, especially those containing links to external websites. It is important to avoid clicking on suspicious links or opening attachments from untrustworthy sources. Keeping your software and operating systems up to date with the latest patches can also help reduce the risk of malware infection.