Cybercriminals are exploiting unpatched remote code execution vulnerabilities to distribute an information-stealing malware called LokiBot. LokiBot, also known as LokiPWS, primarily targets Windows systems and collects sensitive information from infected devices including usernames and passwords. The malware can also log keystrokes, capture screenshots, steal information from web browsers, and empty cryptocurrency wallets. LokiBot was discovered in 2016 and has been active since at least 2015, and is primarily spread via email, most commonly through malicious email attachments.

One of the latest campaigns exploits the Microsoft Office vulnerability, CVE-2021-40444, and the Microsoft Windows Support Diagnostic Tool (MSDT) vulnerability, CVE-2022-30190, to embed malicious macros in Office documents that deliver LokiBot. The campaign was detected by security researchers at FortiGuard Labs in May 2023, and the campaign is still active.

The infection process is different depending on which vulnerability is exploited. The Word document that exploits the CVE-2021-40444 vulnerability includes a GoFile link embedded in an XML file, which will download an HTML file that exploits the CVE-2022-30190 vulnerability, which will deliver a Visual Basic payload that delivers LokiBot. Alternatively, a Word file is used that contains a VBA macro that drops an INF file, through which a connection will be made to the command-and-control server and LokiBot will be loaded.

LokiBot may be an old malware variant, but it is regularly updated, and the methods used to distribute the malware regularly change. This campaign takes advantage of businesses that are slow to implement patches. Ensuring patches for known vulnerabilities or workarounds are implemented quickly is vital. Email anti-spam services will also protect against attacks such as these. It is important to use an email security solution that does not rely on signature-based detection methods. Malware variants are constantly updated and changed to evade signature-based detection methods, so AI-based solutions should be used that can detect novel malware variants by their behavior.

SpamTitan includes both detection methods and will scan for known malware variants and subject attachments to in-depth analysis in a sandbox to identify malicious actions, such as command-and-control center callbacks. SpamTitan also performs a barrage of front-end and advanced checks on all emails, including machine-based detection methods that can identify emails that deviate from those typically received by a business, ensuring security teams are rapidly alerted about potential threats. Security awareness training is also strongly recommended to educate end users about email-based threats and teach security best practices, such as always exercising caution with emails, email attachments, and messages containing external links.

If you want to improve your defenses against malware and other cyber threats, give the TitanHQ team a call. SpamTitan, along with other TitanHQ cybersecurity solutions, is available on a free trial to allow you to test the product in your own environment before deciding if it is right for your business.