LokiBot Malware Targets Windows Users in Office Document Attacks

Written by

Windows users have been targeted again by the sophisticated malware known as LokiBot, which is spreading through malicious Office documents. 

According to a new advisory by Fortinet security researcher Cara Lin, attackers are leveraging known vulnerabilities, such as CVE-2021-40444 and CVE-2022-30190, to embed malicious macros within Microsoft Office documents. 

Once executed, these macros drop the LokiBot malware onto victims’ systems, allowing the attackers to control and collect sensitive information.

LokiBot, a notorious Trojan active since 2015, specializes in stealing sensitive information from infected machines, primarily targeting Windows systems.

Read more on LokiBot infections: Lokibot, AgentTesla Grow in January 2023's Most Wanted Malware List

FortiGuard Labs conducted an in-depth analysis of the identified documents, exploring the payload they delivered and highlighting the behavioral patterns exhibited by LokiBot. 

The investigation revealed that the malicious documents employed various techniques, including the use of external links and VBA scripts, to initiate the attack chain. 

The LokiBot malware, once deployed, used evasion techniques to avoid detection and executed a series of malicious activities to gather sensitive data from compromised systems.

“It’s serious in three ways,” said John Gallagher, vice president of Viakoo Labs at Viakoo, referring to the new attack. “It’s new packaging for LokiBot and may not be detected easily, it is effective in covering its tracks and obfuscating its process, and it can lead to significant personal and business data being exfiltrated.”

To protect against this threat, users are advised to exercise caution when dealing with Office documents or unknown files, particularly those containing external links.

“Fortunately, Microsoft is on top of the problem from a resolution and workaround perspective, so it’s imperative that we remind everyone to keep their endpoint protection products current,” commented Andrew Barratt, vice president at Coalfire.

“This also shows the value of email filtering solutions that can actively scan an attachment before it lands in someone’s inbox.”

The Fortinet advisory comes days after Barracuda Networks published a report suggesting a relatively small group of scammers, numbering fewer than 100 individuals, is responsible for global email extortion.

What’s hot on Infosecurity Magazine?