HQ/EMEAFind out how we can help your business
Researchers have recently stumbled across a new LokiBot malware campaign, which exploits a couple of well-known critical vulnerabilities in MS Office documents. Based on reports, the malware campaign first appeared in May while researchers investigated previously unknown Word documents.
Threat analysts explained that cybercriminal organisations have commonly exploited Microsoft vulnerabilities in the past since it could infect numerous individuals worldwide. Hence, other threat groups are also constantly looking for new vulnerabilities to use so they can execute their malicious campaigns.
The LokiBot malware cybercriminal operation targets two MS Word document vulnerabilities.
According to an investigation, the LokiBot threat actors leveraged two remote code execution flaws to attach malicious macros within MS documents. Researchers said that the exploited flaws are CVE-2021-40444 and CVE-2022-30190.
The attackers initially launched the campaign using the Word documents affected by the CVE-2021-40444 flaw. The MS document included a file “document[.]xml[.]rels and an MHTML link. The researchers also explained that the execution of this archive is from the deployment of file exploits for the second flaw. The attackers have also altered their strategy by attaching a VBA script within the Word document.
The VBA script generated an INF file to load a DLL archive that could download a second-stage code injector from a URL. This injector applies various evasion techniques that allow the attacker to run the LokiBot malware in the final stage.
Further analysis also revealed that the new LokiBot version utilised the MD5 in its command-and-control traffic. The hash serves as a mutex to ensure that multiple instances of the malware do not run simultaneously.
Other researchers claimed that this new version of the LokiBot information stealer first appeared last March.
This persistent and widespread malware strain has become a constant payload prevalent in the cybercriminal landscape since its developers constantly upgraded its propagation capabilities. In this new campaign, the infostealer has spread efficiently by exploiting old vulnerabilities.
Therefore, organisations should ensure they utilise the latest version of MS Office documents and know threat actors’ current strategies and techniques to prevent such attacks.
