Threat Research

LokiBot Campaign Targets Microsoft Office Document Using Vulnerabilities and Macros | FortiGuard Labs

Securonix

Fortinet FortiGuard Labs analyzed malicious Microsoft Office documents that exploit CVE-2021-40444 and CVE-2022-30190 to drop LokiBot onto Windows systems. The campaign uses a VBA macro and an injector chain to download payloads, load LokiBot into memory, and reach a remote C2 at 95.164.23.2 to exfiltrate data. #LokiBot #CVE-2021-40444 #CVE-2022-30190 #GoFile #vertebromed.md

Keypoints

  • Exploitation of two remote code execution vulnerabilities (CVE-2021-40444 and CVE-2022-30190) to drop LokiBot via malicious Word documents.
  • Two document variants analyzed: one with an external link in document.xml.rels and another with a VBA Auto_Open/Document_Open macro.
  • Payload delivery chain includes downloading an injector (oehrjd.exe) from pcwizard.net and loading LokiBot through a DLL loaded by rundll32.
  • VB injector decrypts/decodes data, writes intermediate files (DD.inf, ema.tmp, des.jpg), then uses VirtualAllocEx to execute the final payload.
  • injector employs anti-analysis evasion (debugger/VM checks, Sleep timing, FindWindowW checks) to hinder analysis.
  • LokiBot’s C2 communications target 95.164.23.2/swe/h/pin.php, with data exfiltration across web protocols.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – ‘Specifically, CVE-2021-40444 and CVE-2022-30190 are remote code execution vulnerabilities. Exploiting these vulnerabilities allowed the attackers to embed malicious macros within Microsoft documents that, when executed, dropped the LokiBot malware onto the victim’s system.’
  • [T1059.005] Visual Basic – ‘the VBA macro automatically executed due to its use of the “Auto_Open” and “Document_Open” functions…’
  • [T1218] Signed Binary Proxy Execution – ‘The injector … uses rundll32 to load a DLL file with the function “maintst.”’
  • [T1105] Ingress Tool Transfer – ‘download of an injector file named “oehrjd.exe” from the following URL: http[:]//pcwizard[.]net/yz/ftp/.’
  • [T1055] Process Injection – ‘The injector utilizes the “VirtualAllocEx” function to allocate memory for the subsequent execution of LokiBot.’
  • [T1497] Virtualization/Sandbox Evasion – ‘Checking the “BeingDebugged” flag of PEB … VM presence … FindWindowW to identify debuggers …’
  • [T1071] Web Protocols – ‘C2 traffic to “95[.]164[.]23[.]2/swe/h/pin[.]php” …’

Indicators of Compromise

  • [IP] C2 server – 95.164.23.2 – LokiBot C2 channel used for data exfiltration
  • [Files] MD5 hashes – 17d95ec93678b0a73e984354f55312dda9e6ae4b57a54e6d57eb59bcbbe3c382, 23982d2d2501cfe1eb931aa83a4d8dfe922bce06e9c327a9936a54a2c6d409ae, and 6 more hashes
  • [URLs] Downloader and loader origins – http://pcwizard.net/yz/ftp/, https://vertebromed.md/temp/dhssdf.exe

Read more: https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint