Malware Campaign Exploiting Microsoft Office Vulnerabilities to Drops LokiBot

VTA-00445 – Malware Campaign Exploiting Microsoft Office Vulnerabilities to Drops LokiBot

FortiGuard Labs, a cybersecurity research team, has uncovered a malware campaign that exploits vulnerabilities, namely CVE-2021-40444 and CVE-2022-30190 (Follina), in Microsoft Office documents. This campaign aims to distribute LokiBot malware, known for stealing sensitive information from Windows machines. The malicious documents either contain a link that redirects users to a file download exploiting the vulnerabilities, or they utilize a script that automatically executes upon opening, thereby initiating the download of the malware.

LokiBot, a notorious Trojan that has been active since 2015, poses a significant threat to user data. By leveraging these specific vulnerabilities and employing various techniques, such as VBA macros and encoded files, the malware remains difficult to detect and analyze. To protect against such attacks, users are strongly advised to exercise caution when handling Office documents, particularly those containing links to external websites.


Attack Surfaces:
Email, Endpoint

Defense Evasion, Initial Access, Persistence

T1137 – Office Application Startup ,
T1027 – Obfuscated Files or Information ,
T1566 – Phishing ,
T1137.001 – Office Template Macros


SuperPRO’s Threat Countermeasures Procedures: 
1. Exercise caution with email attachments and links in documents, especially if they are from unknown sources. Verify their legitimacy before opening or clicking on them.
2. Keep your operating system, antivirus software, and applications up to date with the latest security patches to protect against known vulnerabilities.
3. Be wary of unfamiliar or suspicious links, particularly those redirecting to cloud file-sharing websites or unknown domains.
4. Stick to reputable websites and avoid downloading files from suspicious sources or clicking on pop-up ads.
5. Enable firewalls, intrusion detection systems, and other security measures to add an extra layer of defense against malware infections.

Contributed by:  Wan

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>