Lokibot Campaign Uses Microsoft Office Exploit

Share On Facebook
Share On Twitter
Share On Linkedin

Author: Darby Wise

TLP: WHITE

On 9 December, Infoblox observed a malicious email campaign exploiting CVE 2017-118821 to distribute LokiBot malware. This campaign used purchase order-themed lures to entice victims into downloading malicious Microsoft Excel (XLS) files.

We have previously written several reports on LokiBot, including campaigns that used Coronavirus-themed lures, NGROK tunneling to download payloads, and malicious RTF files to infect victims.2,3,4

CVE 2017-11882, a stack buffer overflow vulnerability in the Microsoft Equation Editor, is an exploit commonly-used by threat actors. This past week, we observed a number of similar campaigns that use this CVE in their attack chains and distribute malware such as Agent Tesla, Formbook and AveMaria.

LokiBot is a popular information stealing trojan first observed in 2015 and is frequently distributed through malspam campaigns. It is capable of harvesting the victim’s login credentials, cryptocurrency wallets and other sensitive information through various methods such as keylogging. The malware then reports the stolen information to a command and control (C&C) server.5

LokiBot is also capable of establishing backdoors that enable the attacker to install additional payloads.

Threat actors used a common malspam theme referencing purchase orders in this campaign. Email subjects included Purchase Order Confirmation for December 1st Lot and ORDER CONFIRMATION. All of the emails contained an attached XLS file named Purchase Order Confirmation.xlsx. The email bodies were either empty or contained a short greeting such as “Dear All” and “Good day.”

Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.

Endnotes

  1. https://nvd.nist.gov/vuln/detail/CVE-2017-11882
  2. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–62
  3. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–16
  4. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–27
  5. https://us-cert.cisa.gov/ncas/alerts/aa20-266a

 

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×