Loki Bot expands from Excel spreadsheet to attack other office applications
Loki Bot expands from Excel spreadsheet to attack other office applications

Security researchers have discovered a new attack vector launched through Microsoft Excel spreadsheets, and just recently expanded into other Office applications.


According to a blog post by Andy Norton, director of threat intelligence at Lastline, detection rates for the Loki Bot malware is so low as it is using a relatively new exploit method (the use of scriptlets) instead of macros or other well documented tactics, and as such evades many detection techniques in use.

“This is a double whammy for most security response teams. Firstly, the low detection rate of the infection vector would lean people towards a False Positive verdict,” he said.

“And secondly, even if they discovered the main payload, Loki, mitigating the behaviour of the threat is often incorrectly implemented. This leaves the victimised organisation open to a secondary malware-less attack when the exfiltrated credentials are used by subsequent threat actors to gain unauthorised access and then try to move around inside the network.”

He said that as of 10 December, 12 days later after the first submission, the malicious Excel scriptlet spreadsheet has attracted 12 positive verdicts on Virustotal out of nearly 60 AV tools.

“As of the end of Day 12, we found an infected client with a malicious Excel spreadsheet that communicated with a domain and installed a generic trojan, which was subsequently detected and the client system was reimaged. Further studying of logs found that the generic trojan made some callbacks to a C&C server, but no lateral movement was seen, and a decision was made to close the incident,” said Norton.

Norton said the Loki Bot has been advertise on the dark web and promotional materials of the malware demonstrate its prowess at capturing credentials from various applications, especially FireFox (47 percent of the stolen credentials) and Chrome (41 percent), while Windows and email credentials make up only one to three percent.

“Once credentials have been stolen from a victim, Loki displays which sites are now vulnerable to identity theft,” said Norton. “These include social media sites, payment portals, bitcoin wallets, and even a Moroccan government login.”

Norton said that the scriptlet and Loki attack demonstrate how behavioural intelligence with visibility of the real capabilities of the attack makes it possible to detect the attack and implement mitigation efforts on day one instead of waiting until day 12 when it finally is recognised by a critical mass of AV tools and untold credentials have already been stolen.

“Organisations need to have very clear information on the capacity of the infection, and ensure that incident response policies include the requirement to audit and change credentials on systems related to financial sites, internal systems, email, social media and supply chain portals. For these types of attacks, back up or re-imaging alone is not sufficient to mitigate the risk,” he told SC Media UK in an interview.

Dr Simon Wiseman, CTO of Deep Secure, told SC Media UK that organisations should not “bother detecting the threat, it's a waste of time.”

“This type of attack graphically shows the flaws relying on discovering bad things in documents or sandboxing (isolating) documents to see how they behave. Both detection and isolation are flawed and time and again over the past 25 years have repeatedly failed to protect organisations from the latest zero-day attacks,” he said.

“This Loki based attack is a text book illustration of the limitations of “detection” based cyber-security. Criminals know this and that's why malware being smuggled in, assets being smuggled out and Command and Control (C&C) channels being concealed all using standard everyday business documents to hide behind. You have to treat every document, file or image as a potential threat and the only reliable way to defeat this type of attack is using Content Threat Removal,” he added.

Javvad Malik, security advocate at AlienVault, told SC Media UK that while immediate detection may be low, “if a company is using reliable and up to date threat intelligence and behavioural analysis, it should be able to detect where external calls are being made to known bad or suspicious locations – giving security teams the opportunity to respond as appropriate.”