LokiBot malware infecting PCs via Microsoft Word — protect yourself now

Don’t open that Word Doc; it may be infected with a LokiBot
(Image credit: Future)

Thanks to a report in TheHackerNews, we know that Microsoft Word documents are being used to exploit known remote code execution flaws. The flaws are used as phishing lures to sneak the LokiBot malware onto compromised computers. 

These so-called "LokiBots, " also known as Loki PWS, have stolen users' information since 2015 and remain a well-known trojan. Cara Lin, a security researcher with Fortinet FortiGuard, said, "It primarily targets Windows systems and aims to gather sensitive information from infected machines."

Fortinet first noticed the attack campaign in May 2023; the company released a statement saying the attacks take advantage of CVE-2021-40444 and CVE-2022-30190 (aka Follina) to achieve code execution.

LokiBot malware infecting PCs via Microsoft Word — protect yourself now

(Image credit: Future)

How it's done

According to the folks at Fortinet, the Word file that activates CVE-2021-40444 uses an external GoFile link that's embedded within an XML file which leads to the download of an HTML file that exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot.

On top of all this, and not to add to your worry, the injector also uses evasion techniques to check your system for the presence of debuggers and determine if it's running in a virtualized environment. So this malware is super smart and invasive. 

Discovered towards the end of May, an alternative chain starts with a Word document incorporating a VBA script which then executes a macro immediately when users open the document using the "Auto_Open" and "Document_Open" functions.

This macro script subsequently delivers a payload from a remote server, which also functions as a way to load LokiBot and connect to a command-and-control (C2) server.

LokiBot's, yes there are several

This is not the first LokiBot or the last. Like the deity of mischief, who can conjure up multiple versions of themself, there appear to be many variants that affect every OS imaginable. This current one is not confused with the LokiBot, a known Android banking trojan that can log your keystrokes, capture screenshots and gather your login information. That filthy trickster will siphon your financials, especially your cryptocurrency. 

Cara Lin from Fortinet states, "LokiBot is a long-standing and widespread malware active for many years," Lin said. "Its functionalities have matured over time, making it easy for cybercriminals to use it to steal sensitive data from victims. The attackers behind LokiBot continually update their initial access methods, allowing their malware campaign to find more efficient ways to spread and infect systems."

So please remember to remain diligent about not opening suspicious emails, and do not open Word documents from email addresses you do not recognize. Also, you should look at our best antivirus page to see if you can increase your security level. 

Mark Anthony Ramirez

Mark has spent 20 years headlining comedy shows around the country and made appearances on ABC, MTV, Comedy Central, Howard Stern, Food Network, and Sirius XM Radio. He has written about every topic imaginable, from dating, family, politics, social issues, and tech. He wrote his first tech articles for the now-defunct Dads On Tech 10 years ago, and his passion for combining humor and tech has grown under the tutelage of the Laptop Mag team. His penchant for tearing things down and rebuilding them did not make Mark popular at home, however, when he got his hands on the legendary Commodore 64, his passion for all things tech deepened. These days, when he is not filming, editing footage, tinkering with cameras and laptops, or on stage, he can be found at his desk snacking, writing about everything tech, new jokes, or scripts he dreams of filming.