A group of security researchers managed to identify a new malware distribution campaign that is delivering the LokiBot banking trojan by using multiple techniques.

The security researchers from Trend Micro were able to take a look inside the campaign details thanks to a misconfiguration found in one of their C&C servers.

According to Cyware, it seems that LokiBot is using some known techniques as it has been exploiting old vulnerabilities, like the CVE-2017-11882, and CVE-2016-0189, in popular utility software.

After an in-depth analysis it was discovered that the delivery mechanisms included the use of PDF (using Open Action Object), DOCX (using the Frameset mechanism), Excel (using embedded OLE Object), and Word documents (with further exploitation of old vulnerabilities).

The customers were targeted through emails that were masquerading as order invoices that had a PDF file attached, that upon being opened provided the option of connecting to a specific host.

The hosts responded with a malicious HTML document, and then attempted to exploit known vulnerabilities in order to run an embedded PowerShell script, eventually being able to download the payload vbc.exe, a variant of LokiBot.

LokiBot Attacks

It looks like the LokiBot banking trojan primarily targets FTP servers, SMTP clients, and web browsers, in an attempt to steal user credentials, as a new variant of RoboSki packer was found to be associated with LokiBot C2 domains that were earlier used in a SWIFT-related fraud to deliver Lokibot earlier in 2019.

It’s worth noting that earlier this year, the researchers have noticed an increase in the attacks that were distributing malware, including LokiBot, Formbook, and Anubis.

We witnessed how the Covid-19 outbreak ushered heavier reliance on online systems. While such dependence was present even before, the need to reduce physical contact heightened it. More legitimate services such as those of the government and healthcare (telehealth) went online. There has also been an increase in online-only systems, including digital-only neobanks. Physical stores were also closed as efforts to expand their online counterparts increased.


It looks like the LokiBot operators have put together the exploitation of old vulnerabilities with new social engineering techniques by making use of a wide range of delivery mechanisms that can actually provide means to fuel future malicious campaigns.

Top 10 Most Dangerous Banking Malware That Can Empty Your Bank Account

Phishing attacks explained: How it works, Types, Prevention and Statistics

Banking Trojan Bizarro Targets Customers with Spear-Phishing Campaigns

Leave a Reply

Your email address will not be published. Required fields are marked *