Attackers continue to exploit a recently patched remote code execution vulnerability in the Microsoft Equation Editor component of Microsoft Office, this time using the bug to deliver a modified version of Loki information-stealing malware.
The vulnerability, CVE-2017-11882, is a memory corruption bug that was patched on Nov. 14, yet reportedly has already been leveraged in multiple in-the-wild attacks that deliver malware such as Cobalt, POWRUNER, BONDUPDATED, Pony/FAREIT, FormBook, ZBOT, and Ursnif.
According to a Thursday blog post from Trend Micro, the Loki campaign has so far targeted the U.S., France, Hong Kong, Croatia, India, Australia, South Korea, and Mauritius. Loki can harvest data from File Transfer Protocol (FTP) clients, web browsers, email clients, and IT administration tools such as PuTTY, and it also acts as a malware loader capable of capturing keystrokes.
In this case, the cracked version used in the campaign is more affordable to attackers than the standard version, costing only between $60 and a $100 in underground hacking forums, versus $250-$450. It appeared to have been created using a builder called “Loki stealer v 1.6 builder”, which the researchers say is connected to a Russian hacking forum.
Trend Micro further notes in its report that the Loki campaign uses compromised emails "to send spammed messages to the account's contact list. It's possible that they use Loki as a conduit for further attacks, given Loki's capability to steal email client credentials."
The spam emails appear to come from an Australian shipping company, and attempt to trick recipients into opening what looks to be an attached receipt that arrives as a Microsoft Office document, but is actually a dropper. Once victims enable an Object Linking and Embedding (OLE) object embedded in the documents, a malicious RTF document is loaded that exploits the Microsoft vulnerability and downloads an HTML Application dropper responsible for installing Loki as the final payload.
Further analysis of 124 unpacked samples of Loki that were found on VirusTotal revealed a number of command-and-control URLs – featuring domains like gamesarena[.]gdn, gamezones[.]info, and gamestoredownload[.]download – registered by a Nigeria-based threat actor.
Co-authored by researchers Rubio Wu, Anita Hsieh, and Marshall Chen, the blog post also cites a recent report from Malware-Traffic-Analysis.net that details a spammer campaign distributing cracked Loki payloads via Server Message Block (SMB) protocol.