Author: Darby Wise
On 9 December, Infoblox observed a malicious email campaign exploiting CVE 2017-118821 to distribute LokiBot malware. This campaign used purchase order-themed lures to entice victims into downloading malicious Microsoft Excel (XLS) files.
We have previously written several reports on LokiBot, including campaigns that used Coronavirus-themed lures, NGROK tunneling to download payloads, and malicious RTF files to infect victims.2,3,4
CVE 2017-11882, a stack buffer overflow vulnerability in the Microsoft Equation Editor, is an exploit commonly-used by threat actors. This past week, we observed a number of similar campaigns that use this CVE in their attack chains and distribute malware such as Agent Tesla, Formbook and AveMaria.
LokiBot is a popular information stealing trojan first observed in 2015 and is frequently distributed through malspam campaigns. It is capable of harvesting the victim’s login credentials, cryptocurrency wallets and other sensitive information through various methods such as keylogging. The malware then reports the stolen information to a command and control (C&C) server.5
LokiBot is also capable of establishing backdoors that enable the attacker to install additional payloads.
Threat actors used a common malspam theme referencing purchase orders in this campaign. Email subjects included Purchase Order Confirmation for December 1st Lot and ORDER CONFIRMATION. All of the emails contained an attached XLS file named Purchase Order Confirmation.xlsx. The email bodies were either empty or contained a short greeting such as “Dear All” and “Good day.”
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.