Malicious Microsoft Office docs drop LokiBot malware
It’s been a busy week for Microsoft. Lost in the crush of news about a Chinese APT attack and exploited zero-days fixed in Patch Tuesday, FortiGuard Labs observed several malicious Microsoft Office documents that, when executed, drop the LokiBot malware onto a victim’s system.
In a blog post July 12, FortiGuard Labs said the malicious Microsoft Office documents exploited known remote code execution vulnerabilities: CVE-2021-40444 (CVSS 7.8) and CVE-2022-30190 (CVSS 7.8). Patches have been available for both bugs for well over a year.
The researchers said LokiBot, also known as Loki PWS, has been a well-known information-stealing trojan active since 2015. LokiBot primarily targets Windows systems and aims to gather sensitive information from infected machines.
LokiBot exploits various vulnerabilities and employs Visual Basic for Applications (VBA) macros to launch attacks. It also leverages a Visual Basic injector to evade detection or analysis. Leveraging the injector, it can bypass certain security measures and pose a significant threat to users.
“Users should exercise caution when dealing with any Office documents or unknown files, especially those that contain links to external websites,” the researchers said. “It’s essential to be vigilant and avoid clicking on suspicious links or opening attachments from untrusted sources. Additionally, keeping the software and operating systems up-to-date with the latest security patches can help mitigate the risk of exploitation by malware.”
Andrew Barratt, vice president at Coalfire, said these are challenging known vulnerabilities that leverage the classic social engineering methods preying on end users — dropping an alluring attachment in the hopes that a misguided or under protected end user will open it.
Barratt said that fortunately Microsoft has been on top of the problem from a resolution-and-workaround perspective, so it’s imperative that we remind security teams to keep their endpoint protection products current.
“As with any remote code execution vulnerability, it’s very important to consider them the highest threat,” said Barratt. “Teams that are concerned it may have slipped through should look through the…
