Evolving Malware Attacks: The LokiBot Trojan
Overview of LokiBot Campaign
LokiBot, an information-stealing Trojan active since 2015, primarily targets Windows systems with the aim of gathering sensitive information from infected machines. The campaign leverages CVE-2021-40444 and CVE-2022-30190 (Follina) to achieve code execution and distribute the LokiBot malware. This report outlines the infection chain, tactics used by the attackers, and the capabilities of LokiBot.
Vulnerabilities Exploited
The malware campaign exploits the following vulnerabilities to achieve code execution:
- CVE-2021-40444: A remote code execution flaw in Microsoft Word that allows attackers to execute arbitrary code when a victim opens a specially crafted Word document containing the vulnerability.
- CVE-2022-30190 (Follina): Another code execution vulnerability that can be exploited through a malicious HTML file, enabling the download and execution of a next-stage payload.
How the Malware is Distributed
The LokiBot malware is distributed via Microsoft Word documents that act as phishing lures. Two different infection chains have been identified in the campaign:
CVE-2021-40444 Exploitation: The Word file contains an external GoFile link within an XML file. This link leads to the download of an HTML file, which exploits CVE-2022-30190 (Follina). The exploitation results in the download of an injector module written in Visual Basic that decrypts and launches LokiBot. The injector includes evasion techniques to detect debuggers and identify virtualized environments.
VBA Script Execution: In the alternative chain discovered in May, a Word document with a VBA script executes a macro immediately upon opening, using the "Auto_Open" and "Document_Open" functions. The macro script delivers an interim payload from a remote server, which serves as an injector to load LokiBot and establish a connection to a command-and-control (C2) server.
Capabilities of LokiBot
LokiBot is a well-established information-stealing Trojan that targets Windows systems. Its capabilities include:
- Keystroke Logging: Capturing keystrokes to gather sensitive information, including login credentials.
- Screenshots: Take screenshots to obtain visual data from infected machines.
- Browser Credential Theft: Gathering login credential information from web browsers.
- Cryptocurrency Wallet Data Theft: Siphoning data from various cryptocurrency wallets.
Recommended Mitigation
- Patch Vulnerabilities: Ensure that all Microsoft Office applications, including Microsoft Word, are up to date with the latest security patches. Regularly check for and apply updates to address known vulnerabilities such as CVE-2021-40444 and CVE-2022-30190.
- Enable Macros with Caution: Exercise caution when enabling macros in Microsoft Word documents, especially if received from untrusted sources. Macros can be a common vector for malware delivery, and users should only enable them if they are certain about the legitimacy of the document.
Conclusion
In conclusion, the LokiBot malware campaign poses a significant threat to Windows systems, with attackers leveraging known remote code execution flaws in Microsoft Word to distribute the malware. LokiBot's extensive capabilities make it a formidable information-stealing Trojan that continues to evolve over time. Cybercriminals behind LokiBot continually update their tactics, allowing the malware to spread efficiently and infect systems. Organizations and users should remain vigilant, apply necessary security updates, and exercise caution when opening Word documents from untrusted sources to mitigate the risk of infection.