In the realm of cybersecurity, cybercriminals have found a potent tool in their pursuit of illicit gains. By exploiting known vulnerabilities within Microsoft Word, they have launched a sophisticated attack campaign that deploys the infamous LokiBot malware. This security article sheds light on the tactics employed by these threat actors and the potential risks posed to Windows systems.
LokiBot: A Persistent Information Stealer
LokiBot, also known as Loki PWS, is a notorious information-stealing Trojan that has been active since 2015. This malware specifically targets Windows systems and has gained notoriety for its ability to extract sensitive data from compromised machines. As time has passed, LokiBot has evolved, and its capabilities have become more sophisticated, allowing cybercriminals to utilize it as a potent tool for data exfiltration.
Once LokiBot infects a system, it works silently in the background, covertly collecting valuable information from the victim's machine. This can include sensitive personal data, login credentials, financial information, and even data from cryptocurrency wallets. LokiBot is designed to operate stealthily, evading detection by security measures and remaining persistent on the compromised system.
The Exploitation Technique:
A recent campaign, detected in May 2023, leveraged two specific vulnerabilities: CVE-2021-40444 and CVE-2022-30190 (also known as Follina). In this technique, hackers sent fake emails or messages to trick people into downloading harmful files using Microsoft Word documents. The unsuspecting users were lured into opening these files, which caused their computers to be compromised.
The Attack Chain:
Variant 1: In the first variant of the attack, a Word document exploits CVE-2021-40444 by embedding an external GoFile link within an XML file. This link leads to the download of an HTML file, which, in turn, exploits Follina to initiate the download of an injector module. This injector, written in Visual Basic, decrypts and launches the LokiBot malware. To evade detection, the injector incorporates techniques to identify the presence of debuggers and virtualized environments.
Variant 2: A second variant, discovered later in May, employs a Word document containing a VBA script that instantly executes a macro upon opening. By utilizing functions such as "Auto_Open" and "Document_Open," the macro script acts as a conduit to deliver an interim payload from a remote server. This payload, functioning as an injector, loads LokiBot and establishes a connection with a command-and-control (C2) server.
LokiBot's Capabilities and Impact:
LokiBot is a highly capable malware that distinguishes itself from an Android banking trojan with a similar name. Its extensive range of capabilities includes keystroke logging, capturing screenshots, harvesting login credentials from web browsers, and extracting data from various cryptocurrency wallets. As a well-established and prevalent malware, LokiBot poses a significant risk to the security of sensitive information. Attackers continuously refine their initial access methods, enabling the malware to spread efficiently and infect systems, making it a persistent and dangerous threat.
Top 3 Safety Measures to Protect Against LokiBot:
The exploitation of Microsoft Word vulnerabilities to deploy the LokiBot malware signals a concerning development in the realm of cybersecurity. Windows users must remain vigilant as these attacks continue to evolve and become increasingly sophisticated. We emphasize the importance of staying informed and taking proactive measures to protect systems from this pervasive threat.
Armoryze: Your Shield Against Cyber Threats
At Armoryze, we are your trusted partner in fortifying your business against the ever-changing landscape of cyber threats. Our managed security services offer comprehensive solutions, including proactive threat monitoring, incident response, vulnerability assessments, and risk-based security planning. With our expert team and cutting-edge technologies, stay ahead of emerging threats like the LokiBot malware.
Schedule a FREE consultation with us today to assess your organization's vulnerability posture and create a tailored plan for enhanced security. Protect your critical data, ensure business continuity, and gain peace of mind with Armoryze as your cybersecurity shield. Partner with us and stay secure in the digital realm.