Latest LokiBot Campaign Exploits Malicious MS Documents

Researchers are warning of an uptick in attacks using a series of malicious Microsoft Office documents designed to drop LokiBot, an information stealer capable of sweeping up credentials.

See Also: OnDemand | Overcoming the Limitations of Addressing Insider Threat in Banking: Real Solutions for Real Security Challenges

FortiGuard Labs said the documents exploited known remote code execution vulnerabilities tracked as CVE-2021-40444 and CVE-2022-30190 and enabled attackers to embed malicious macros that ultimately dropped the LokiBot malware, which targets Windows systems and aims to gather sensitive information from infected machines.

LokiBot, which is also known as Loki PWS, has been active since 2015. The information-stealing Trojan was initially spread through malicious email attachments.

“During May 2023, we obtained two types of Word documents for analysis. The first type featured an external link embedded within an XML file, word/_rels/document.xml.rels, while the second type included a VBA script that executed a macro immediately upon opening the document,” researchers said.

The first document targeted CVE-2021-40444 with an external link using MHTML. This web archive file format combines a website’s HTML code and companion resources into a single file.

The link also used Cuttly, a URL shortener and link management platform that redirected users to GoFile, a cloud-based file-sharing website. Further investigation uncovered another file named defrt.html, which is downloaded upon accessing the link.

“This file exploits the second vulnerability, CVE-2022-30190. Upon executing the payload, it initiates the download of an injector file named oehrjd.exe from the following URL: http://pcwizard.net/yz/ftp/, the researchers said.

The other document included code embedded within the Word document that automatically executed through its use of the Auto_Open and Document_Open functions.

“Various arrays are decoded within the script and saved to a temporary folder under the name DD.inf. It includes a command to create an ema.tmp file to store data after line 29 in the DD.inf file. The data is then encoded using the ‘ecodehex’ function and saved as des.jpg. The script then uses rundll32 to load a DLL file with the function ‘maintst.’ Finally, it deletes all temporary, JPG and INF files created throughout this process,” the researchers said.

This DLL file helps to download an injector to be used in a later stage, which is not downloaded from a typical file-sharing cloud platform or the attacker’s command-and-control server. It leverages the website vertebromed.md, which has been active since 2018.

The injector file was found to have been created on May 29 and within the same folder, researchers uncovered another MSIL loader named IMG_3360_103pdf.exe, created on the next day. “Although this file isn’t directly involved in the Word document attack chain, it also loads LokiBot and connects to the same C2 IP,” the researchers said.

In the later stages, the injector incorporates various evasion techniques such as checking the BeingDebugged flag of Process Environment Block, using the “NtGlobalFlag” to determine if the process was created by a debugger, verifying the existence of virtual machine paths, such as “VMWare” and “Oraclevirtualbox guest additions” and employing two calls to the “GetTickCount” API and using Sleep() to check if the time has been accelerated.

Once the payload is obtained and verified in the overall environment, the injector uses the “VirtualAllocEx” function to allocate memory for the subsequent execution of LokiBot.

Deploying LokiBot

LokiBot has continually updated its initial access methods, allowing its malware campaign to find more efficient ways to spread and infect systems.

In 2020, the U.S. Cybersecurity and Infrastructure Security Agency warned that the operators behind the malware had been using malicious websites to hide the malware from victims and to send phishing links through SMS and other private messages that contain LokiBot.

In the latest campaign, the operators exploit various vulnerabilities and employ VBA macros to launch attacks. The malware also uses a VB injector to employ several techniques to evade detection or analysis.