Official forum for Utopia Community
You are not logged in.
Known remote code execution vulnerabilities in Microsoft Word documents are being used as phishing lures to install LokiBot malware on compromised systems.
LokiBot, also referred to as Loki PWS, has been a well-known information-stealing Trojan active since 2015, according to Cara Lin, a researcher with Fortinet FortiGuard Labs. It primarily targets Windows systems and seeks to collect private data from infected machines. ".
The code execution attacks, according to the cybersecurity firm that discovered the campaign in May 2023, take advantage of CVE-2021-40444 and CVE-2022-30190 (also known as Follina).
The Word document that exploits CVE-2021-40444 contains an external GoFile link embedded within an XML file that directs users to download an HTML file. This HTML file then uses Follina to download a next-stage payload, a Visual Basic injector module that decrypts and launches LokiBot.
Additionally, the injector includes evasion methods to check for debuggers and determine whether it is operating in a virtualized environment.
LokiBot Adware.
At the end of May, researchers discovered an alternative chain that begins with a Word document that contains a VBA script that launches a macro as soon as the document is opened using the "Auto_Open" and "Document_Open" functions.
The macro script then serves as a conduit to transfer a temporary payload from a remote server, which also serves as an injector to load LokiBot and establish a connection to a command-and-control (C2) server.
Not to be confused with an Android banking trojan of the same name, LokiBot is equipped with the ability to log keystrokes, take screenshots, collect login credentials from web browsers, and siphon data from various cryptocurrency wallets.
LokiBot is a well-known malware that has been around for a very long time, according to Lin. "Over time, its functionalities have improved, making it simple for cybercriminals to use it to steal victims' sensitive data. In order to improve the efficiency of their malware campaign, the LokiBot attackers are constantly updating their initial access techniques. ".
Offline