Malspam Delivers Pony and Loki-Bot

Malspam Delivers Pony and Loki-Bot (Mar 19, 2018)

Researchers have discovered a malspam campaign that is distributing the "Pony" downloader and the "Loki-Bot" banking trojan via malicious RTF documents. The emails purport that the attachment is a copy of a bank deposit. The documents exploit a Microsoft Office Memory Corruption vulnerability registered as "CVE-2017-11882" to fetch the Pony downloader. Pony is then used to download and install Loki-Bot, which is able to gain persistence on an affected machine by adding a registry key to the "%APPDATA%" folder.

Recommendation: Malspam is a constant threat used by malicious actors who are consistently changing the themes of the messages to trick unsuspecting recipients. Anti-spam and antivirus application provided from trusted vendors should be employed in addition to educating your employees to identify such attempts. Furthermore, all software in use, in this instance Microsoft Office, should be kept up-to-date with the latest versions to avoid potential exploitation of documents vulnerabilities.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.