The infamous trojan LokiBotactive since 2015, has returned to being talked about due to its dangerous and unpredictable evolution.
Also exploiting the vulnerability Follinafixed with a patch by Microsoft last June, the malware demonstrated that it can exploit macros in Word documents to infect computers that have not yet been updated.
These documents exploit remote code execution vulnerabilities, viz CVE-2021-40444 e CVE-2022-30190 (the aforementioned Follina), to inject LokiBot malware into the victim’s systems.
It all started when FortiGuard Labs received and analyzed two distinct types of Word documents, both of which represented potential threats yet to be determined. The first type incorporated a file XML named word/_rels/document.xml.rels.
The second document, however, used one script VBA which ran a malicious macro when the document was opened. Interestingly, both files contained a visually similar decoy image indicating a probable connection between the two attacks.
The Word document using CVE-2021-40444 contained a file named document.xml.rels, which hosted an external link using MHTML (MIME Encapsulation of Aggregate HTML documents). This link used Cuttlya URL shortener and link management platform, to redirect users to a cloud file sharing website called GoFile.
Two Word documents suspected of spreading malware
Further analysis revealed that accessing the link initiated the download of a file named defrt.html, by exploiting the second vulnerability, CVE-2022-30190. Once the payload runs, starts downloading a labeled injector file oehrjd.exe from a specific URL.
The second document, discovered in late May 2023, contains a VBA script embedded in the Word file. The script, using functions Auto_Open e Document_Open, runs automatically when you open the document. This decrypts the various arrays, saving them as a temporary folder with the name DD.inf.
Specifically, the script created a file ema.tmp to store the data, by encrypting it using the function ecodehex and saving it as des.jpg. Subsequently, the script used rundll32 to load a file DLL containing the function maintst. During this process, all temporary files, JPG e INF created have been systematically eliminated.
LokiBot, a trojan that has never stopped evolving
LokiBot is persistent malware, which has continued to evolve over the years, adapting its techniques to propagate and infect systems more efficiently. By exploiting a number of vulnerabilities and VBA macros, LokiBot remains a significant cybersecurity concern.
To protect themselves from such threats, users are advised to pay attention when dealing with Office documents or unknown files, especially those containing links to external websites. As it is easy to understand, then, maintain operating system e antivirus updated it can further help reduce the risks of a potential infection.