article featured image


A group of security researchers managed to identify a new malware distribution campaign that is delivering the LokiBot banking trojan by using multiple techniques.

The security researchers from Trend Micro were able to take a look inside the campaign details thanks to a misconfiguration found in one of their C&C servers.

According to Cyware, it seems that LokiBot is using some known techniques as it has been exploiting old vulnerabilities, like the CVE-2017-11882, and CVE-2016-0189, in popular utility software.

After an in-depth analysis it was discovered that the delivery mechanisms included the use of PDF (using Open Action Object), DOCX (using the Frameset mechanism), Excel (using embedded OLE Object), and Word documents (with further exploitation of old vulnerabilities).

The customers were targeted through emails that were masquerading as order invoices that had a PDF file attached, that upon being opened provided the option of connecting to a specific host.

The hosts responded with a malicious HTML document, and then attempted to exploit known vulnerabilities in order to run an embedded PowerShell script, eventually being able to download the payload vbc.exe, a variant of LokiBot.

LokiBot Attacks

It looks like the LokiBot banking trojan primarily targets FTP servers, SMTP clients, and web browsers, in an attempt to steal user credentials, as a new variant of RoboSki packer was found to be associated with LokiBot C2 domains that were earlier used in a SWIFT-related fraud to deliver Lokibot earlier in 2019.

It’s worth noting that earlier this year, the researchers have noticed an increase in the attacks that were distributing malware, including LokiBot, Formbook, and Anubis.

We witnessed how the Covid-19 outbreak ushered heavier reliance on online systems. While such dependence was present even before, the need to reduce physical contact heightened it. More legitimate services such as those of the government and healthcare (telehealth) went online. There has also been an increase in online-only systems, including digital-only neobanks. Physical stores were also closed as efforts to expand their online counterparts increased.


It looks like the LokiBot operators have put together the exploitation of old vulnerabilities with new social engineering techniques by making use of a wide range of delivery mechanisms that can actually provide means to fuel future malicious campaigns.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *