LokiBot Campaign Targets Microsoft Office Document Using Vulnerabilities and Macros
Fortinet News, Wednesday, July 12,2023
In a recent FortiGuard Labs investigation, we came across several malicious Microsoft Office documents designed to exploit known vulnerabilities.
Specifically, CVE-2021-40444 and CVE-2022-30190 are remote code execution vulnerabilities. Exploiting these vulnerabilities allowed the attackers to embed malicious macros within Microsoft documents that, when executed, dropped the LokiBot malware onto the victim's system. LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015. It primarily targets Windows systems and aims to gather sensitive information from infected machines.
In this article, we will delve into the specifics of the identified documents, explore the payload they delivered, and outline the behavioral patterns exhibited by LokiBot. Our analysis aims to shed light on the intricacies of this threat and increase awareness regarding its operational methods.