Threatening Microsoft Office Documents Drop the LokiBot Malware
In a week filled with significant events for Microsoft, including a Chinese APT attack and the patching of exploited zero-days during Patch Tuesday, researchers have made an alarming discovery observing multiple instances of malicious Microsoft Office documents that, upon execution, unleash the LokiBot malware onto the targeted system. This malware seriously threatens victims by infiltrating their systems, potentially leading to unauthorized access and data theft.
Exploiting well-known vulnerabilities, namely CVE-2021-40444 (CVSS 7.8) and CVE-2022-30190 (CVSS 7.8), the threatening Microsoft Office documents have been the gateway for the infiltration of the notorious LokiBot malware. Despite patches being available for these vulnerabilities for over a year, attackers took advantage of unpatched systems.
Table of Contents
What is LokiBot?
LokiBot, a long-standing information-stealing trojan known since 2015, focuses on Windows platforms, seeking to extract valuable data from compromised machines. Its persistent presence in the threat landscape underscores the importance of maintaining robust security measures to defend against evolving cyber threats.
LokiBot utilizes a combination of harmful techniques to carry out its harmful activities. It takes advantage of multiple vulnerabilities and employs Visual Basic for Applications (VBA) macros to initiate attacks. Additionally, LokiBot incorporates a Visual Basic injector that aids in evading detection and analysis. By leveraging this injector, the malware can circumvent specific security measures, making it a formidable threat to users. The ability of LokiBot to employ these advanced techniques highlights the importance of implementing robust security measures and staying vigilant against evolving cyber threats.
Err on the Side of Caution
Researchers strongly advise users to exercise caution and adopt a cautious approach when dealing with Office documents or unfamiliar files, particularly those containing links to external websites. They emphasize the importance of remaining vigilant and refraining from clicking suspicious links or opening attachments from untrusted sources. Additionally, keeping the software and operating systems up-to-date with the latest security patches is crucial to mitigating the risk of malware exploitation.
These known vulnerabilities pose a significant challenge as they exploit classic social engineering techniques that target end users. The attackers rely on enticing attachments, hoping unsuspecting or inadequately protected users will open them. That highlights the need for robust cybersecurity awareness and education to empower users in recognizing and avoiding potential threats.
Luckily, Microsoft has taken proactive measures to address and provide solutions for the problem, underscoring the need for security teams to ensure their endpoint protection products are up to date.
It is crucial to always treat remote code execution vulnerabilities as a top priority regarding the threat level. You'd better thoroughly examine indicators of compromise and conduct initial investigations to verify if the vulnerability has affected them. This proactive approach allows organizations to identify and mitigate any potential impact promptly.
The emergence of this new packaging for LokiBot raises severe concerns due to its ability to evade detection, conceal its activities, and potentially compromise sensitive data. To cope with that, organizations should not simply discontinue the use of Microsoft Office but rather prioritize actions to keep their systems protected. That includes regularly updating patches and anti-malware signatures and educating users about exercising caution when handling Office documents. By taking these proactive measures, organizations can bolster their defenses and minimize the risk of falling victim to such damaging activities.
Threatening Microsoft Office Documents Drop the LokiBot Malware Screenshots
