Cybercriminals exploit Microsoft Word vulnerabilities to deploy LokiBot malware


In a recent cyber threat discovery, Fortinet FortiGuard Labs has identified a series of attacks that exploit vulnerabilities in Microsoft Word documents. These attacks aim to deceive users through phishing tactics and subsequently deploy LokiBot malware onto compromised systems.

LokiBot, also known as Loki PWS, has been an active information-stealing Trojan since 2015, with a primary focus on Windows systems. Similar to the new malware attacking Windows WordPad, LokiBot malware is designed to extract sensitive data from infected machines, posing a significant risk to user privacy and security.

Fortinet's researchers observed the campaign in May 2023 and revealed that the attacks exploit two specific vulnerabilities, namely CVE-2021-40444 and CVE-2022-30190 (also referred to as Follina), to achieve code execution.

In the case of CVE-2021-40444, the weaponised Word document includes an embedded external GoFile link within an XML file. This link leads to the download of an HTML file that, in turn, exploits Follina to acquire a next-stage payload. The payload is an injector module written in Visual Basic, responsible for decrypting and launching LokiBot on the compromised system.

The injector module incorporates evasion techniques to detect debuggers and identify virtualised environments, enhancing its ability to persist and avoid detection. See what we offer and how secure your connection will become with our Expert VPN.

Another attack chain, discovered towards the end of May, involves a Word document with a VBA script. The script executes a macro immediately upon opening the document, utilising the "Auto_Open" and "Document_Open" functions. This macro script serves as a conduit to deliver an interim payload from a remote server. The payload acts as an injector, loading LokiBot onto the system and establishing a connection with a command-and-control (C2) server.

LokiBot, distinct from an Android banking trojan of the same name, possesses various capabilities to carry out its nefarious activities. These include logging keystrokes, capturing screenshots, extracting login credentials from web browsers, and siphoning data from various cryptocurrency wallets.

Cara Lin, a researcher at Fortinet FortiGuard Labs, emphasised that LokiBot is a long-standing and widespread malware that has evolved over time. Its functionality has matured, providing cybercriminals with an effective tool for stealing sensitive data. The attackers behind LokiBot continuously update their initial access methods, enabling the malware campaign to find more efficient ways to propagate and infect systems.

The discovery of this recent campaign highlights the importance of staying vigilant and keeping software up to date with the latest patches and security measures. Users are strongly advised to exercise caution when opening Word documents from untrusted sources, secure their network with a hide VPN, and implement robust security solutions to mitigate the risk of falling victim to such cyber threats.