Malware, Application security, Vulnerability Management

Malicious Microsoft Office docs drop LokiBot malware

Microsoft logo on the side of a building

It’s been a busy week for Microsoft. Lost in the crush of news about a Chinese APT attack and exploited zero-days fixed in Patch Tuesday, FortiGuard Labs observed several malicious Microsoft Office documents that, when executed, drop the LokiBot malware onto a victim’s system.

In a blog post July 12, FortiGuard Labs said the malicious Microsoft Office documents exploited known remote code execution vulnerabilities: CVE-2021-40444 (CVSS 7.8) and CVE-2022-30190 (CVSS 7.8). Patches have been available for both bugs for well over a year.

The researchers said LokiBot, also known as Loki PWS, has been a well-known information-stealing trojan active since 2015. LokiBot primarily targets Windows systems and aims to gather sensitive information from infected machines.

LokiBot exploits various vulnerabilities and employs Visual Basic for Applications (VBA) macros to launch attacks. It also leverages a Visual Basic injector to evade detection or analysis. Leveraging the injector, it can bypass certain security measures and pose a significant threat to users.

“Users should exercise caution when dealing with any Office documents or unknown files, especially those that contain links to external websites,” the researchers said. “It’s essential to be vigilant and avoid clicking on suspicious links or opening attachments from untrusted sources. Additionally, keeping the software and operating systems up-to-date with the latest security patches can help mitigate the risk of exploitation by malware.”

Andrew Barratt, vice president at Coalfire, said these are challenging known vulnerabilities that leverage the classic social engineering methods preying on end users — dropping an alluring attachment in the hopes that a misguided or under protected end user will open it.

Barratt said that fortunately Microsoft has been on top of the problem from a resolution-and-workaround perspective, so it’s imperative that we remind security teams to keep their endpoint protection products current. 

“As with any remote code execution vulnerability, it’s very important to consider them the highest threat," said Barratt. "Teams that are concerned it may have slipped through should look through the indicators-of-compromise and do some initial hunt work to make sure they’ve not been impacted.”

John Gallagher, vice president of Viakoo Labs, said here’s another example of threat actors taking existing malware agents (LokiBot) and finding new ways to exploit them. Gallagher said it’s a serious threat, and it’s very recent — end of May was the timestamp on some of files — and care was taken to hide and remove traces of its path of infection. 

“It’s serious in three ways: it’s new packaging for LokiBot and may not be detected easily, it’s effective in covering its tracks and obfuscating it’s process, and it can lead to significant personal and business data being exfiltrated,” explained Gallagher.  

“Apart from stopping to use Microsoft Office, organizations should ensure that they take action to ensure patches and anti-virus signatures are up-to-date, and alert users to be aware and treat Office documents with more caution.”  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.