Cybercriminals Exploit Microsoft Word Vulnerabilities: Cybercriminals are leveraging vulnerabilities in Microsoft Word to distribute the LokiBot malware, a well-known Trojan that targets Windows systems and aims to steal sensitive information.
By exploiting remote code execution flaws, attackers are using Word documents as phishing lures to compromise systems and deploy the LokiBot malware.
Key Takeaways to Cybercriminals Exploit Microsoft Word Vulnerabilities:
Table of Contents
- Cybercriminals are exploiting Microsoft Word vulnerabilities to distribute the LokiBot malware.
- The LokiBot Trojan has been active since 2015 and primarily targets Windows systems to steal sensitive information.
- The attacks utilize specific vulnerabilities, such as CVE-2021-40444 and CVE-2022-30190, to achieve code execution and launch the LokiBot malware.
Cybercriminals are taking advantage of known vulnerabilities in Microsoft Word to deploy the LokiBot malware, a long-standing Trojan designed to steal sensitive information from Windows systems.
These attacks employ phishing tactics, using malicious Word documents as lures to compromise systems and introduce the LokiBot malware.
Exploiting CVE-2021-40444 and CVE-2022-30190
The campaign, detected by Fortinet FortiGuard Labs in May 2023, leverages specific vulnerabilities, namely CVE-2021-40444 and CVE-2022-30190 (also known as Follina).
By exploiting these vulnerabilities, attackers achieve remote code execution, allowing them to execute malicious code within Microsoft Word documents.
Attack Execution and Payload
In one variation of the attack, a Word document containing an embedded external GoFile link leads to the download of an HTML file. This HTML file then exploits the Follina vulnerability to download a next-stage payload, an injector module written in Visual Basic.
This injector decrypts and launches the LokiBot malware, equipped with information-stealing capabilities.
An alternative attack method discovered in late May involves a Word document with a VBA script that executes a macro immediately upon opening the document. The macro serves as a conduit, delivering an interim payload from a remote server.
This payload acts as an injector, loading the LokiBot malware and connecting it to a command-and-control server.
Capabilities and Impact
LokiBot, distinct from its Android banking trojan namesake, is a persistent and widespread malware that has evolved over the years.
It has the ability to log keystrokes, capture screenshots, gather login credentials from web browsers, and steal data from various cryptocurrency wallets.
This extensive functionality enables cybercriminals to steal sensitive data from victims effectively.
Conclusion
Cybercriminals are exploiting vulnerabilities in Microsoft Word to distribute the LokiBot malware, a long-standing Trojan known for stealing sensitive information from Windows systems.
These attacks highlight the importance of maintaining up-to-date security measures and staying vigilant against phishing attempts involving malicious Word documents.
