Security News
Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems. The Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot.
Malware distributors have turned to an older trick known as Squiblydoo to spread Qbot and Lokibot via Microsoft Office document using regsvr32. A report from the threat research team at security analytics platform Uptycs shows that the use of regsvr32.
Spammers have started using a tricky URL obfuscation technique that sidesteps detection - and ultimately infects victims with the LokiBot trojan. When the PowerPoint file is opened, the document attempts to access a URL via a Windows binary, and this leads to various malware being installed onto the system.
The U.S. Cybersecurity and Infrastructure Security Agency is warning that the LokiBot info-stealing trojan is seeing a surge across the enterprise landscape. LokiBot targets Windows and Android endpoints, and spreads mainly through email.
The U.S. Cybersecurity and Infrastructure Security Agency is warning of a significant increase in the use of LokiBot malware over the past couple of months. Initially detailed in 2016 as a piece of malware targeting Android devices, LokiBot arrived on Windows in 2018 and has evolved into a prevalent threat, targeting corporate mailboxes and employing innovative distribution methods.
Researchers have discovered a new variant of the LokiBot trojan called BlackRock, that's attacking not just financial and banking apps, but also a massive list of well-known and commonly used brand-name apps on Android devices. While BlackRock's banker abilities are not overly impressive, offering "a quite common set of capabilities compared to average Android banking trojans," according to the report, it has other assets.
Researchers have discovered threat actors once again capitalizing on the COVID-19 pandemic and current attention on the World Health Organization with a new spearphishing email designed to spread the LokiBot trojan sent using the WHO trademark as a lure. Instead, it sends an attachment that unleashes the infostealer LokiBot if downloaded and executed, according to a blog post published Thursday by threat analyst Val Saengphaibul.
A large U.S. manufacturing company is the latest organization to be targeted with the LokiBot trojan - although this most recent campaign harbored some bizarre red flags.
LokiBot info-stealing malware is again being distributed in a malspam campaign using attached ISO image file attachments. Similar was reported in August 2018, but it remains an unusual method of...