Cybersecurity specialists from Fortiguard Labs have recently uncovered a widespread campaign aimed at spreading the malicious Lokibot (Loki PWS). This threat is notable for exploiting two well-known vulnerabilities, including the Follina vulnerability.
Trojan Lokibot, which is known for its activity since 2015, is specifically designed to steal confidential information from Windows computers.
During their investigation, the Fortiguard Labs team discovered numerous malicious Microsoft Office documents. The analysis initially focused on two different types of Word documents, both of which posed significant threats to users.
The first type of document contained an external link embedded in the XML file named “Word/_RES/Document.xml.Rels”. Within this Word document, which exploits the CVE-2021-40444 vulnerability, a file named “Document.xml.Res” was identified. This file contained an external link that redirected users to the GOFILE file cloud service through the Cuttly link reduction service.
Upon further analysis, it was found that accessing the link resulted in the loading of an HTML file, exploiting the second vulnerability, CVE-2022-30190 (FOLLINA). This payload then loaded the injector file marked as malicious.
Initially, URLs were created to indicate the location of various files on the internet. Over time, they started being used to specify addresses for all resources, regardless of their type.