Threat Management, Malware, Vulnerability Management

Microsoft bug CVE-2017-11882 exploited to deliver Loki information stealer

Attackers continue to exploit a recently patched remote code execution vulnerability in the Microsoft Equation Editor component of Microsoft Office, this time using the bug to deliver a modified version of Loki information-stealing malware.

The vulnerability, CVE-2017-11882, is a memory corruption bug that was patched on Nov. 14, yet reportedly has already been leveraged in multiple in-the-wild attacks that deliver malware such as CobaltPOWRUNER, BONDUPDATED, Pony/FAREIT, FormBook, ZBOT, and Ursnif

According to a Thursday blog post from Trend Micro, the Loki campaign has so far targeted the U.S., France, Hong Kong, Croatia, India, Australia, South Korea, and Mauritius. Loki can harvest data from File Transfer Protocol (FTP) clients, web browsers, email clients, and IT administration tools such as PuTTY, and it also acts as a malware loader capable of capturing keystrokes.

In this case, the cracked version used in the campaign is more affordable to attackers than the standard version, costing only between $60 and a $100 in underground hacking forums, versus $250-$450. It appeared to have been created using a builder called “Loki stealer v 1.6 builder”, which the researchers say is connected to a Russian hacking forum.

Trend Micro further notes in its report that the Loki campaign uses compromised emails "to send spammed messages to the account's contact list. It's possible that they use Loki as a conduit for further attacks, given Loki's capability to steal email client credentials."

The spam emails appear to come from an Australian shipping company, and attempt to trick recipients into opening what looks to be an attached receipt that arrives as a Microsoft Office document, but is actually a dropper. Once victims enable an Object Linking and Embedding (OLE) object embedded in the documents, a malicious RTF document is loaded that exploits the Microsoft vulnerability and downloads an HTML Application dropper responsible for installing Loki as the final payload.

Further analysis of 124 unpacked samples of Loki that were found on VirusTotal revealed a number of command-and-control URLs – featuring domains like gamesarena[.]gdn, gamezones[.]info, and gamestoredownload[.]download – registered by a Nigeria-based threat actor.

Co-authored by researchers Rubio Wu, Anita Hsieh, and Marshall Chen, the blog post also cites a recent report from that details a spammer campaign distributing cracked Loki payloads via Server Message Block (SMB) protocol.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.