[ad_1]
Cybercrime
,
Endpoint Security
,
Fraud Management & Cybercrime
Info Stealer Continues to Succeed via Phishing, Exploiting Ancient Flaw in Office
In Norse mythology, Loki is a cowardly trickster god who can change age, shape and sex. The malware incarnation is more prosaic, tending to focus on stealing Microsoft users’ data.
See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense
LokiBot is one of a number of different types of so-called information-stealing malware, designed to steal everything from email credentials, payment card data and cryptocurrency wallet passwords to the cookies and system data needed to bypass multifactor authentication.
Researchers say LokiBot especially appeals to a less technically skilled clientele, owing to its ease of use, which helps explain why it has been unusually persistent – remaining among the five most-seen strains of malware – since 2018.
In two-thirds of attack attempts, the LokiBot malware arrives in the form of an email attachment, according to a new report authored by Madalynn Carr, a threat analyst at Cofense. Most of the other attack attempts use a delivery mechanism that in 82% of cases involves targeting a 23-year-old memory corruption flaw in Microsoft Office that first came to light six years ago.
Designated CVE-2017-11882, the flaw exists in Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1 and Microsoft Office 2016. Owing to continued use of these products, rather than still-supported and patched versions, many attempts to exploit this vulnerability remain successful.
The U.S. Cybersecurity and Infrastructure Security Agency has continued to feature this flaw on its list of the most “routinely exploited vulnerabilities,” owing to their continued exploitation by nation-state hacking teams as well as criminals.
LokiBot-wielding attackers continue to test fresh strategies for infecting targets. In 2020, CISA warned that the operators behind the malware had been using malicious websites to hide the malware from victims and to send phishing links through SMS and other private messages that contain LokiBot.
This summer, researchers warned they had been seeing an increase in attacks that used malicious Microsoft Office documents to drop LokiBot. Each of the attacks tended to target one of these two flaws:
- CVE-2021-40444 – a Microsoft Office MSHTML remote code execution vulnerability
- CVE-2022-30190 – A Microsoft Windows Support Diagnostic Tool, or MSDT, remote code execution vulnerability
8 Years of LokiBot
LokiBot debuted in 2015 for sale on cybercrime forums by “lokistov” with a sale price of $540 for both a stealer and a loader, the researchers said.
“LokiBot became a popular malware choice for threat actors due to the low price and ease of use,” says the Cofense report . Since 2018, “LokiBot has remained in the top five malware families delivered through phishing emails.”
That’s despite the source code for version 1 of the malware getting leaked in 2018 and sold for as little as $80. Carr said there are two theories as to how the code leaked. “One is that somebody reversed the original LokiBot and gathered the source code, then published the cracked version of the malware,” she said. “The other theory is that lokistov got hacked themselves, and the hacker published the stolen version.”
Subsequently, she said, lokistov developed version 2 of the malware, which has better evasion capabilities as well as expanded keylogger and remote access Trojan functionality.
The malware today includes the ability to steal credentials from more than 100 different clients on a PC, including email, FTP and the cross-platform screen-sharing system VNC, to password managers – including 1Password and KeePass – and instant messaging clients, the report says.
Defending Against LokiBot
LokiBot’s relative simplicity makes it easy to spot, provided defenders are watching for it, since almost everything it does will involve command-and-control communications, the researchers said.
“The primary way to prevent LokiBot from being installed on a system is to not allow unknown downloads from suspicious emails,” Cofense said, adding that most antivirus software should detect and block the malware or find it if set to regularly scan systems.
Cofense said LokiBot primarily communicates with a command-and-control server via http and typically uses the same User-Agent request header string to identify itself: “Mozilla/4.08 (Charon; Inferno).” To spot likely LokiBot infections, it recommends organizations set alerts for that User-Agent string.
Feeding Log Markets
Info stealers such as LokiBot don’t work in a vacuum. The information this type of malware steals from a system is known as a “bot,” and bots get packaged up into “logs” that get sold on dedicated cybercrime markets such as Genesis, RussianMarket and TwoEasy or via forums such as BHF and Dark2Web and Telegram messaging app channels.
Instead of buying logs a la carte, customers can subscribe to “clouds of logs” that are frequently updated (see: Info-Stealing Malware Populates ‘Cloud of Logs’ Offerings).
Other popular information stealers populating log markets include Raccoon, RedLine, Vidar, Taurus and AZORult, researchers have reported. New players constantly debut, and this year they have included Acrid Rain and Typhon Stealer.
[ad_2]
Source link
Abi
Hello,
I’m Abi, an English SEO copywriter and content writer. I excel in crafting blogs, articles, e-commerce product descriptions, SEO content, website content, business service descriptions, newsletter content, brochures, proofreading, social media captions, LinkedIn content, and SOPs.
My rate is USD 20 for every 1000 words of content. If you don’t have time to plan out your content, we can help you with that.
Feel free to email me at Contentwriting011994@outlook.com with any current requirements.
Thanks,
Abi
Rahul
Hi,
My name is Rahul. I am a Data Entry Virtual Assistant. I will follow your step-by-step process and get things done for you at just $10 per hour.
I can do Online Data Entry, Medical Bill Data Entry, Copy Paste Work, Document Data Entry, Physical to Digital Document Conversion, WooCommerce/Magento/Shopify Product Data Entry, Amazon/Ebay/Etsy/Walmart/Target Product Data Entry, Facebook Shop/Google Merchant Store Product Data Entry, Application Forms Data Entry, Software Data Entry, Invoice/Billing Data Entry Processing, Insurance Claim Processing, Order Entry, Purchase Entry, Captcha Filling, 1 by 1 Manual Entry, Step-by-Step Process Entry, E-Commerce Product Data Entry, Market Research Forms Processing, Credit Cards Form Processing, Survey Forms Processing, Mortgage Forms Processing, Data Collection, Sales Leads, List Collection using your Strategy and Criteria, List Creation, Typing Work, Data capturing from websites, WordPress/Shopify Data Entry, Web scrapping and putting data into excel sheet, Proper formatting of excel entries, Resolve different formats of excel entries into 1 format, Process repetition, Google spreadsheet,
Property data research, Linkedin Data Collection, Business Card Data Entry, Finding leads online.
If you have any requirements, please send me an email on Hireonline4455@outlook.com
Abi
Hello,
I’m Abi, an English SEO copywriter and content writer. I excel in crafting blogs, articles, e-commerce product descriptions, SEO content, website content, business service descriptions, newsletter content, brochures, proofreading, social media captions, LinkedIn content, and SOPs.
My rate is USD 40 for every 1000 words of content. If you don’t have time to plan out your content, we can help you with that.
Feel free to email me at Contentwriting011994@outlook.com with any current requirements.
Thanks,
Abi
Rana
Hi, This is Rana. I’m reaching out to offer my expertise in social media management, including strategic calendar planning, captivating post creation as per your business, e-commerce product promotion, SEO-friendly social media captions, and design services such as brochures, posters, and flyers tailored to enhance your brand’s social media presence and engage your audience effectively.
My rate is USD 20 per hour. I can provide you a fixed quote as per your requirements.
Drop me an email at socialmedia1145@outlook.com to discuss it further.
Neil
Hi there,
This is Neil, and I’m here to boost your brand’s visibility and credibility by sharing your articles on other high-quality websites. This will establish your authority and enhance SEO.
Your articles need to be at least 600 words, or I can write one for you at an extra cost.
Ready to elevate your brand? Reply at Brandbuildingassistance@outlook.com to begin.