Security
Headlines
HeadlinesLatestCVEs

Headline

New Attack Drops LokiBot Malware Via Malicious Macros in Word Docs

By Waqas LokiBot, a notorious Trojan active since 2015, specializes in stealing sensitive information from Windows machines, posing a significant threat to user data. This is a post from HackRead.com Read the original post: New Attack Drops LokiBot Malware Via Malicious Macros in Word Docs

HackRead
#vulnerability#web#mac#windows#microsoft#rce#pdf

The malware campaign, exploiting two known vulnerabilities including Follina, has been discovered by cybersecurity researchers at FortiGuard Labs.

FortiGuard Labs recently uncovered a concerning discovery in their investigation, revealing a series of malicious Microsoft Office documents designed to take advantage of well-known vulnerabilities.

These documents exploit remote code execution vulnerabilities, namely CVE-2021-40444 and CVE-2022-30190 (Follina), to inject LokiBot (aka Loki PWS) malware onto victims’ systems.

LokiBot, a notorious Trojan active since 2015, specializes in stealing sensitive information from Windows machines, posing a significant threat to user data.

It all started when FortiGuard Labs obtained and analyzed two distinct types of Word documents, both posing severe threats to unsuspecting victims. The first type incorporated an external link embedded within an XML file named “word/_rels/document.xml.rels.”

Meanwhile, the second type employed a VBA script that executed a malicious macro upon opening the document. Interestingly, both files contained a visually similar bait image, shown in Figure 1, indicating a potential connection between the attacks.

The Word document leveraging CVE-2021-40444 contained a file named “document.xml.rels,” which hosted an external link employing MHTML (MIME Encapsulation of Aggregate HTML documents). This link employed Cuttly, a URL shortener and link management platform, to redirect users to a cloud file-sharing website called “GoFile.”

Further analysis revealed that accessing the link initiated the download of a file named “defrt.html,” exploiting the second vulnerability, CVE-2022-30190. Once the payload is executed, it triggers the download of an injector file labelled “oehrjd.exe” from the URL “http//pcwizardnet/yz/ftp/.”

The second document, discovered towards the end of May 2023 featured a VBA script embedded within the Word file. The script, utilizing the “Auto_Open” and “Document_Open” functions, automatically executed upon opening the document. It decoded various arrays, saving them as a temporary folder under the name “DD.inf.”

Notably, the script created an “ema.tmp” file to store data, encoding it using the “ecodehex” function, and saving it as “des.jpg.” Subsequently, the script employed rundll32 to load a DLL file containing the “maintst” function. Throughout this process, all temporary, JPG, and INF files created were systematically deleted.

Regarding the VBA script’s INF file creation, the purpose was to load a DLL file named “des.jpg,” responsible for downloading an injector from the URL “https//vertebromedmd/temp/dhssdfexe” for use in later stages.

The web page and the compromised folder used in the scam (left) – The actual screenshot from the malicious Word document (right) – Image credit: Fortinet Labs

It is worth noting that the download link deviates from the typical file-sharing cloud platform or the attacker’s command-and-control (C2) server. Instead, it leverages the website “vertebromed.md,” an active domain since 2018.

Additionally, within the same folder, FortiGuard Labs uncovered another MSIL loader named “IMG_3360_103pdf.exe,” created on May 30, 2023. Although not directly involved in the Word document attack chain, this file also loads LokiBot and connects to the same C2 IP.

For in-depth technical details on the return of LokiBot malware visit Fortinet’s blog post here.

LokiBot, a persistent and widespread malware, has continued to evolve over the years, adapting its initial access methods to propagate and infect systems more efficiently. By exploiting a range of vulnerabilities and leveraging VBA macros, LokiBot remains a significant concern for cybersecurity. The utilization of a VB injector further enables evasion techniques that circumvent detection and analysis, intensifying the threat it poses to users.

To safeguard themselves from such threats, users are urged to exercise caution when dealing with Office documents or unknown files, particularly those containing links to external websites. Vigilance is crucial, and it is vital to avoid clicking on suspicious links or opening attachments from untrusted sources. Keeping software and operating systems up to date with the latest security patches can also help mitigate the risk of falling victim to malware exploitation.

As cybercriminals continue to refine their tactics, staying informed and adopting strong security measures is essential for individuals and organizations to protect sensitive data from the relentless onslaught of sophisticated attacks.

RELATED ARTICLES

  1. LokiBot and NanoCore malware distributed in ISO image files
  2. Drake’s kiki do you love me exploited to drop Lokibot malware
  3. TrickGate: Malicious Software Outwitting Antivirus for 6 Years
  4. New LokiBot malware variant dropped as Epic Games installer

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related news

Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer

An advanced persistent threat (APT) group called Void Banshee has been observed exploiting a recently disclosed security flaw in the Microsoft MHTML browser engine as a zero-day to deliver an information stealer called Atlantida. Cybersecurity firm Trend Micro, which observed the activity in mid-May 2024, the vulnerability – tracked as CVE-2024-38112 – was used as part of a multi-stage attack

Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool

Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland, and the U.S. "MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems," Fortinet FortiGuard

Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware

Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems. "LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015," Fortinet FortiGuard Labs researcher Cara Lin said. "It primarily targets Windows systems and aims to gather sensitive information from

Asylum Ambuscade: A Cybercrime Group with Espionage Ambitions

The threat actor known as Asylum Ambuscade has been observed straddling cybercrime and cyber espionage operations since at least early 2020. "It is a crimeware group that targets bank customers and cryptocurrency traders in various regions, including North America and Europe," ESET said in an analysis published Thursday. "Asylum Ambuscade also does espionage against government entities in Europe

Hackers Using PowerPoint Mouseover Trick to Infect System with Malware

The Russian state-sponsored threat actor known as APT28 has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware. The technique "is designed to be triggered when the user starts the presentation mode and moves the mouse," cybersecurity firm Cluster25 said in a technical report. "The code execution runs a

Vulnerability Exploits, Not Phishing, Are the Top Cyberattack Vector for Initial Compromise

A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.

CVE-2022-32277: SpiderLabs Blog

Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details.

Most Q2 Attacks Targeted Old Microsoft Vulnerabilities

The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.

Most Q2 Attacks Targeted Old Microsoft Vulnerabilities

The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.

Microsoft Patches ‘Dogwalk’ Zero-Day and 17 Critical Flaws

August Patch Tuesday tackles 121 CVEs, 17 critical bugs and one zero-day bug exploited in the wild.

You Need to Update Windows and Chrome Right Now

Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.

Internet Explorer Now Retired but Still an Attacker Target

Though the once-popular browser is officially now history as far as Microsoft support goes, adversaries won't stop attacking it, security experts say.

Update now!  Microsoft patches Follina, and many other security updates

Patch Tuesday for June 2022 brought a fix for Follina and many other security vulnerabilities. Time to figure out what needs to be prioritized. The post Update now!  Microsoft patches Follina, and many other security updates appeared first on Malwarebytes Labs.

Patch Tuesday: Microsoft Issues Fix for Actively Exploited 'Follina' Vulnerability

Microsoft officially released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates. Also addressed by the tech giant are 55 other flaws, three of which are rated Critical, 51 are rated Important, and one is rated Moderate in severity. Separately, five other shortcomings were resolved in the Microsoft Edge browser. <!-

PHDays 11: towards the Independence Era

Hello everyone! In this episode, I want to talk about the Positive Hack Days 11 conference, which took place on May 18 and 19 in Moscow. As usual, I want to express my personal opinion about this event. Alternative video link (for Russia): https://vk.com/video-149273431_456239091 As I did last year, I want to start talking about this […]

Follina Exploited by State-Sponsored Hackers

A government-aligned attacker tried using a Microsoft vulnerability to attack U.S. and E.U. government targets.

Threat Advisory: Zero-day vulnerability in Microsoft diagnostic tool MSDT could lead to code execution

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack

Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.

Microsoft Office MSDT Follina Proof Of Concept

Proof of concept for the remote code execution vulnerability in MSDT known as Follina.

CVE-2021-36338: DSA-2021-226: Dell EMC Unisphere for PowerMax, Dell EMC Unisphere for PowerMax vApp, Dell EMC Solutions Enabler vApp, Dell EMC Unisphere 360, Dell EMC VASA, and Dell EMC PowerMax EMB Mgmt Security Upd

Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to. CVE-2022-31233 addresses the partial fix in CVE-2021-36338.

CVE-2021-40444

Microsoft MSHTML Remote Code Execution Vulnerability