New Attack Drops LokiBot Malware Via Malicious Macros in Word Docs

LokiBot, a notorious Trojan active since 2015, specializes in stealing sensitive information from Windows machines, posing a significant threat to user data.
The malware campaign, exploiting two known vulnerabilities including Follina, has been discovered by cybersecurity researchers at FortiGuard Labs.

FortiGuard Labs recently uncovered a concerning discovery in their investigation, revealing a series of malicious Microsoft Office documents designed to take advantage of well-known vulnerabilities.

These documents exploit remote code execution vulnerabilities, namely CVE-2021-40444 and CVE-2022-30190 (Follina), to inject LokiBot (aka Loki PWS) malware onto victims’ systems.

LokiBot, a notorious Trojan active since 2015, specializes in stealing sensitive information from Windows machines, posing a significant threat to user data.

It all started when FortiGuard Labs obtained and analyzed two distinct types of Word documents, both posing severe threats to unsuspecting victims. The first type incorporated an external link embedded within an XML file named “word/_rels/document.xml.rels.”

Meanwhile, the second type employed a VBA script that executed a malicious macro upon opening the document. Interestingly, both files contained a visually similar bait image, shown in Figure 1, indicating a potential connection between the attacks.

The Word document leveraging CVE-2021-40444 contained a file named “document.xml.rels,” which hosted an external link employing MHTML (MIME Encapsulation of Aggregate HTML documents). This link employed Cuttly, a URL shortener and link management platform, to redirect users to a cloud file-sharing website called “GoFile.”

Further analysis revealed that accessing the link initiated the download of a file named “defrt.html,” exploiting the second vulnerability, CVE-2022-30190. Once the payload is executed, it triggers the download of an injector file labelled “oehrjd.exe” from the URL “http//pcwizardnet/yz/ftp/.”

The second document, discovered towards the end of May 2023 featured a VBA script embedded within the Word file. The script, utilizing the “Auto_Open” and “Document_Open” functions, automatically executed upon opening the document. It decoded various arrays, saving them as a temporary folder under the name “DD.inf.”

Notably, the script created an “ema.tmp” file to store data, encoding it using the “ecodehex” function, and saving it as “des.jpg.” Subsequently, the script employed rundll32 to load a DLL file containing the “maintst” function. Throughout this process, all temporary, JPG, and INF files created were systematically deleted.

Regarding the VBA script’s INF file creation, the purpose was to load a DLL file named “des.jpg,” responsible for downloading an injector from the URL “https//vertebromedmd/temp/dhssdfexe” for use in later stages.

The web page and the compromised folder used in the scam (left) – The actual screenshot from the malicious Word document (right) – Image credit: Fortinet Labs

It is worth noting that the download link deviates from the typical file-sharing cloud platform or the attacker’s command-and-control (C2) server. Instead, it leverages the website “,” an active domain since 2018.

Additionally, within the same folder, FortiGuard Labs uncovered another MSIL loader named “IMG_3360_103pdf.exe,” created on May 30, 2023. Although not directly involved in the Word document attack chain, this file also loads LokiBot and connects to the same C2 IP.

For in-depth technical details on the return of LokiBot malware visit Fortinet’s blog post here.

LokiBot, a persistent and widespread malware, has continued to evolve over the years, adapting its initial access methods to propagate and infect systems more efficiently. By exploiting a range of vulnerabilities and leveraging VBA macros, LokiBot remains a significant concern for cybersecurity. The utilization of a VB injector further enables evasion techniques that circumvent detection and analysis, intensifying the threat it poses to users.

To safeguard themselves from such threats, users are urged to exercise caution when dealing with Office documents or unknown files, particularly those containing links to external websites. Vigilance is crucial, and it is vital to avoid clicking on suspicious links or opening attachments from untrusted sources. Keeping software and operating systems up to date with the latest security patches can also help mitigate the risk of falling victim to malware exploitation.

As cybercriminals continue to refine their tactics, staying informed and adopting strong security measures is essential for individuals and organizations to protect sensitive data from the relentless onslaught of sophisticated attacks.

  1. LokiBot and NanoCore malware distributed in ISO image files
  2. Drake’s kiki do you love me exploited to drop Lokibot malware
  3. TrickGate: Malicious Software Outwitting Antivirus for 6 Years
  4. New LokiBot malware variant dropped as Epic Games installer
Related Posts