Windows users are again being targeted by malware known as LokiBot, which spreads through Office documents.
Attackers are exploiting known vulnerabilities, such as CVE-2021-40444 and CVE-2022-30190, to embed malicious macros in Microsoft Office documents, according to a new report by Fortinet security researcher Cara Lin.
These macros, once executed, drop the LokiBot malware onto the victim's system, allowing the attacker to take control and collect sensitive information.
LokiBot is a notorious Trojan that has been active since 2015 and specializes in stealing sensitive information from infected machines, mainly targeting Windows systems.
FortiGuard Labs performed an in-depth analysis of the identified files and explored the payloads they transport and patterns of behavior.
According to the investigation, the malicious document employs a variety of techniques, including the use of external links and VBA scripts to start the attack chain.
Once deployed, the LokiBot malware uses evasion techniques to avoid detection and executes a series of malicious activities to collect sensitive data from compromised systems.
John Gallagher, vice president of Viakoo Labs, Viakoo, said of the new attack: This is LokiBot's new packaging, which is less likely to be detected than before, and can effectively cover its tracks and confuse its process, which may lead to a large number of Exfiltration of personal and business data.
To protect against this threat, users are advised to be more cautious while handling Office documents or unknown files especially those containing external links.
Andrew Barratt, vice president of Coalfire, commented that from a solution and workaround perspective, Microsoft is the source of the problem, so we must remind users to keep their security products up to date.
At the same time, this also shows the importance of an email filtering solution that actively scans for attachments before they reach the user's inbox.