In the ever-evolving landscape of cybersecurity, cybercriminals continue to harness the power of well-known platforms to launch sophisticated attacks. Their latest target? None other than the globally-used Microsoft Word. This time, malefactors are leveraging remote code execution flaws to serve as phishing lures and deploy a notorious Trojan known as LokiBot on compromised systems.
LokiBot: A Brief Overview
LokiBot, active since 2015 and also known as Loki PWS (Password Stealer), is a notorious information-stealing Trojan. Primarily targeting Windows systems, it harvests sensitive information from infected machines. Beyond keylogging and capturing screenshots, LokiBot has evolved over the years to gather login credentials from web browsers and siphon data from various cryptocurrency wallets.
The latest attack campaign, spotted by Fortinet FortiGuard Labs in May 2023, exploits known Microsoft Word vulnerabilities identified as CVE-2021-40444 and CVE-2022-30190 (aka Follina) to achieve code execution. The Word file leveraging CVE-2021-40444 contains an external GoFile link, embedded within an XML file, that triggers the download of an HTML file. This HTML file then exploits Follina to download an injector module coded in Visual Basic, which decrypts and launches LokiBot.
The Chameleon Techniques of LokiBot
LokiBot's campaign exhibits chameleon-like adaptability. The injector boasts evasion techniques to detect the presence of debuggers and ascertain if it's operating within a virtualized environment. This adaptability renders LokiBot a moving target, complicating mitigation efforts.
In an alternative attack chain discovered at the end of May, the Word document incorporates a VBA script that runs a macro as soon as the document is opened. This macro serves as a conduit to fetch an interim payload from a remote server, which then acts as an injector to load LokiBot and connect to a Command-and-Control (C2) server.
The Role of Cybersecurity Operations Centers (CSOCs)
In this landscape, Cybersecurity Operations Centers (CSOCs) play a pivotal role. CSOC teams would typically isolate the infected systems to prevent lateral movement of the malware, followed by a thorough forensic analysis to understand the attack vectors and the malware's functionality.
Patch management is one of the proactive ways that CSOCs can help mitigate such vulnerabilities. Applying patches and updates provided by software vendors can prevent exploitation. In this case, patching the Microsoft Word vulnerabilities would be the first line of defense.
Furthermore, deploying advanced threat intelligence and intrusion detection systems can help in identifying and responding to such threats in real-time. End-user awareness and education about phishing lures are also crucial in minimizing the risk of such attacks.
Glossary of Terms
LokiBot: An information-stealing Trojan targeting Windows systems, capable of keylogging, capturing screenshots, and stealing login credentials and cryptocurrency wallet data.
CVE-2021-40444 and CVE-2022-30190: Known vulnerabilities in Microsoft Word that can be exploited for code execution.
Visual Basic: A third-generation event-driven programming language and integrated development environment (IDE) from Microsoft.
Command-and-Control (C2) server: A computer controlled by a cybercriminal used to send commands to systems compromised by malware and receive stolen data from a target network.
In Summary
The LokiBot campaign demonstrates the continuous evolution of cyber threats and the importance of proactive cybersecurity measures. Exploiting Microsoft Word vulnerabilities, the malware employs advanced techniques to dodge detection and carry out its malicious activities.
Comentários