Researchers have identified a new malware distribution campaign delivering LokiBot banking trojan using multiple techniques. They discovered some old yet effective tactics used by LokiBot.
Inside the LokiBot’s hat
Security researchers from Trend Micro were able to peek inside the campaign details due to a misconfiguration in one of their C&C servers.
LokiBot has been exploiting some old vulnerabilities, including CVE-2017-11882 (exploitation of RTF documents), and CVE-2016-0189 (Internet Explorer), in popular utility software.
The delivery mechanisms included the use of PDF (using Open Action Object), DOCX (using the Frameset mechanism), Excel (using embedded OLE Object), and Word documents (with further exploitation of old vulnerabilities).
The customers were being targeted via emails masquerading as an order invoice, with a PDF file attached.
When opened, it provides an option to connect to a specific host which responds with a malicious HTML document.
This malicious page attempts to exploit the known vulnerabilities to run an embedded PowerShell script. It eventually downloads the payload vbc.exe, which is a variant of LokiBot.
Incidents associated with LokiBot
LokiBot banking trojan primarily targets FTP servers, SMTP clients, and web browsers, in an attempt to steal user credentials.
A new variant of RoboSki packer was found to be associated with LokiBot C2 domains that were earlier used in a SWIFT-related fraud to deliver Lokibot earlier in 2019.
In March, researchers discovered a wave of attacks in the guise of the COVID-19 vaccine, which was distributing several malware, including LokiBot, Formbook, and Anubis.
LokiBot operators have apparently amalgamated the exploitation of old vulnerabilities with new social engineering techniques. The use of a wide range of delivery mechanisms provides further ample ammunition to fuel its campaigns. Hence, its critical that organizations patch vulnerabilities on time and refraining from emails received from unknown senders.