{
	"id": "46a63a07-109c-4476-88fe-abcacba70143",
	"created_at": "2026-04-06T00:11:40.66813Z",
	"updated_at": "2026-04-10T03:20:05.570521Z",
	"deleted_at": null,
	"sha1_hash": "f48909394bfb8fce839e0d9ba1b7f1aa86e8633b",
	"title": "Nefarious Macro Malware drops “Loki Bot” to steal sensitive information across GCC countries!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 208752,
	"plain_text": "Nefarious Macro Malware drops “Loki Bot” to steal sensitive\r\ninformation across GCC countries!\r\nBy Winston M\r\nPublished: 2017-02-16 · Archived: 2026-04-05 18:06:21 UTC\r\nMacro malware are still playing its atrocious activities in the wild, frightening all the sectors around the globe.\r\nLatest Spam campaign which flew around GCC countries created a “scary rain” across multiple entities.\r\nThis spam mail was not targeted only for a particular entity, but extensively across multiple firms in Middle east,\r\nanticipating huge number of victims. On the other hand, the recipients in these mails (BCC) were clearly social\r\nengineered.\r\nNB:\r\nThe malware and associated files were analyzed within private secured environment, without actually\r\nallowing it to communicate to its command and control\r\nWhile analyzing, we may come across with unhygienic words or phrases. Keep in mind that, malware are\r\nbuilt by “Bad Boys”.\r\nLet’s Get Serious:\r\nThe spam mail which landed on one of the victim’s Mailbox looks like this:\r\nThe sender Address could be spoofed, which is the contact email ID of the Cambodia based Business software\r\nprovider firm “tztechnology”. The reputation of the sender IP address is poor:\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 1 of 20\n\nThe attachment was a document file and once it is opened, the prompt for enabling the macro starts blinking:\r\nStill end users are falling for these.. sad truth!!\r\nThe word document properties shows, revamped or created date as “Jan 19th 2017”\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 2 of 20\n\nJumping into the Document Macro, starts with “Document_Open()”, meaning , the code will be right away\r\nexecuted whenever the document is opened.\r\nThe VBscript contains lot of junk and unwanted parameters, which would make static analysis to choke. Also\r\nparameters inside the code seems to be encoded heavily. So at this point a mixture of static analysis and debugging\r\nneeds to be done.\r\nWhen we statically analyze, we can see two modules of codes  present in document. Both of the module works\r\ntogether to build a command script and then to run this script via windows script object.\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 3 of 20\n\nFurther debugging and static analysis, found that one of the variable “Catcustom” stores command script which\r\nwas built by the macro on the fly.\r\nThe generated code looks like this (after enumeration of temp folder):\r\nThe below snippet of code reference is the “bridge of relationship” between two modules of scripts. The earlier\r\nmentioned variable “Catcustom” which contained the commands where used as a parameter of another function,\r\nwhich is then referenced to the second module “Module1”. The referenced Function parameters\r\n“gfsdhwawcbenlte()”now contains the value of “catcustom” variable and “0” .\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 4 of 20\n\nFurthermore coming down to the script at second module“Module1”, we can see malicious script was invoked by\r\ncalling the windows script shell object:\r\nNow the question is how we understood from this code above, that it invoked windows script shell\r\n(with hidden window) to run the malicious code which earlier generated.\r\nIf we closely look the above snippet of code,\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 5 of 20\n\nThe function is getting the “new object” by joining flathazard(0), flathazard(1) and flathazard(2) to get :\r\nnew:{72C24DD5-D70A-438 B-8A42-98424B88A FB8}, Now if we go to the registry\r\n“HKEY_CLASSES_ROOT\\CLSID\\{72C24DD5-D70A-438B-8A42-98424B88AFB8} “, this ID refers to the\r\nwindows script shell object.\r\nMeaning, the function is calling a new windows script shell object instance to run the malicious commands in\r\n“whjrdrumawmwul”.\r\nWe can also see “whjrdrumawmwul” contains the value of generated script. The “ezwrelgtrpuwlj” contains the\r\nvalue “0”.\r\nThat said, Let’s see the syntax for .Run  command in VB:\r\nObjshell.Run (strCommand, [intWindoStyle], [bWaitOnReturn])\r\n“Objshell”, We already found how shell object was invoked and we saw “strCommand” value in variable\r\n“whjrdrumawmwul”. Now “ezwrelgtrpuwlj” holds the value  “0” which means the “hide window”. The\r\n“bWaitOnReturn” if left blank immediately returns to script execution.\r\nHence we found that the below code was executed by invoking windows script shell object and being executed in\r\nhidden window:\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 6 of 20\n\nWe can also see that the PowerShell is invoked in hidden mode, bypassing execution policy to download a\r\nmalicious executable from a remote host, which is then renamed to “puttyx86”. The addition of this temp path of\r\nmalicious executable to the above registry and then invoking the “eventvwr.exe” is a technique to bypass the UAC\r\nfeature inorder to acquire highest integrity for executing the malware.\r\nThe above fileless technique of bypassing UAC has already been explained in my post of a real-life scenario::\r\nhttps://www.linkedin.com/pulse/newborn-macro-malware-generates-powershell-script-winston?trk=pulse_spock-articles\r\nReal-life usage of the technique and similar code generated by Macro  is drafted in below article:\r\nhttps://cysinfo.com/cyber-attack-targeting-indian-navys-submarine-warship-manufacturer/\r\nAnd the mechanism of UAC bypass technique drafted in the blog:\r\nhttps://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\r\nLet’s find whether the above findings are true by doing a dynamic analysis:\r\nAs we discussed earlier the windows script shell object is invoked via registry with Class ID\r\nNext the “cmd.exe” has the entire script running under it.\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 7 of 20\n\nAs it step by step runs the commands in cmd.exe,\r\nPowerShell is invoked with the script to download the malware from remote host and save to temp folder as\r\n“puttyx86.exe”\r\nGlitch while Acquiring Highest Integrity via Eventvwr.exe\r\nIn our sample, there happened a small glitch while script was trying to write the malware path to\r\n“HKCU\\\\Software\\\\Classes\\\\mscfile\\\\shell\\\\open\\\\command” registry to be executed via eventvwr.exe. It may\r\nbe due to extra slashes, because when I tweaked commands from “\\\\” to “\\” the Registry write was successful.\r\nDue to the glitch, original eventvwr.msc popped up instead of malware when the macro was executed, quiet\r\nunlucky.\r\nIf you see in the below picture the “mmc.exe” initiated the eventvwr.msc normally.\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 8 of 20\n\nHowever, even though the script couldn’t invoke malware via “eventvwr” technique, after a 15 PING-sleep\r\n(Using Ping command 15 times redirecting to nul), the malware at temp folder was directly invoked. Which made\r\nthe malware to run with medium integrity.\r\nOnce the “puttyx86.exe” is executed normally, it spawns a child of its own and kills the parent process. Also\r\nmanaged to delete the executable from the path.\r\nThen if we see the handles for the child process, it acquired full access  for each thread. The Malware must have\r\nits own elevation feature.\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 9 of 20\n\nThe dropped malware seems to be protected by the infamous “ASprotect” executable protection, header of the file\r\nalso throws the acknowledgment with bogus section names.\r\nAfter a tug of war between the malware using static code analysis and debugging, found that the piece of malware\r\nwas piece of infamous “Loki Bot”.\r\n“Loki Bot is resident loader and password and cryptocoin-wallet stealer. It comes with wallet checker\r\n(coin inspector, read below). It can steal passwords from browsers, ftp/ssh, e-mail and poker clients.\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 10 of 20\n\nWritten in C++. Works on Windows XP, Vista, 7, 8, 8.1. and Linux. UAC Bypass”\r\nBelow shown pictures are snips from the actual interface of main Loki Bot and\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 11 of 20\n\nThe dropped Malware had most of the Anti-analysis  capabilities like VMawareness, Debugger detection, System\r\ntime check and more. Carefully tweaking these will make malware into running as if in a physical machine.\r\nIf we try to see the strings of malware without unpacking from the ASProtect protection mechanism, we will not\r\nget any “sweet fruit”. But after debugging and disassembling, we will get good amount of data about of the\r\nmalware which is obviously fruitful.\r\nThat said, I was able to retrieve and filter very useful data about the malware which gives enough evidence about\r\nthe above said malware.\r\nThe capability of this malware is enormous and even have capability of receiving the Bot commands from “BOT\r\nBoss”.\r\nThe malware have capabilities for luring all the FTP flavored credentials, SMTP, Browser data, DBs information, \r\nhave inbuilt Key logger features and much more. The portions of retrieved strings are below:\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 12 of 20\n\nIn addition to that, malware gets the details about the current user, Machine name, FQDN, MachineGuid and so on\r\nA hardcoded URL was very promising though, suspecting the above collected details and this URL must have\r\nsome connection.\r\nIf we see the network traffic generated by the malware, we can see a promising “Post” traffic to the above found\r\nhardcoded URL:\r\nAll the communication and analysis were done completely isolated environment without actually allowing\r\nmalware to communicate actual CNC servers and DNS.\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 13 of 20\n\nThe malware after acquiring enough details such as Username, Machinename, FQDN, and lots of stolen data from\r\nthe victim machine would then try communicate with the command and control server as we can see in the above\r\nstream of packet.\r\nThe user agent “Mozilla/4.08 (Charon; Inferno)” used has been infamous as it was used in other Fareit Trojan\r\nor PonyLoader. At this point the Loki exhibits similar kind of behavior though.\r\nThe host name seems to be parked at “185.29.10.252” which is a Latvia based IP which is malicious.\r\nThe relation between the IP address, host with hash can be seen below:\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 14 of 20\n\nEmerging threats have already written rule comprising the malicious user agent:\r\nhttp://doc.emergingthreats.net/bin/view/Main/2021641\r\n Let’s move the spot light to the string “ckav.ru” in the stream above shown. From initial glance, we can suspect\r\nit might be Russian based malicious website. Even though the domain exists privately, could not find any clear\r\ncontext with the sample we are analyzing.\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 15 of 20\n\nAnticipating if I can get any clue from the unpacked sample strings, I was able to find the missing characters and\r\nconfirmed it was the URL of a Russian underground forum:\r\nWhen we do a blind search with this URL and suspecting Loki Bot, we will get very promising result:\r\nThis Bot is being sold in a Russia underground Forum. If we see into this website, there are lot other tools\r\nwhich one can register and join the group. After successfully registering we should connect with an already\r\nregistered account with Jabber and then have to link. Once this is completed anyone can download or share any\r\ntools or techniques\r\nReally Scary!!\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 16 of 20\n\nSome more deep search gives more result about the Bot. Even advertisement about the same. The features\r\ndescribed in this Russian forum matches with our finding earlier:\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 17 of 20\n\nEven the features, payment details and contact details are published with it!\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 18 of 20\n\nWith an embarrassed mind let me conclude..\r\nAre we in a digitally connected world? If the answer is yes, then Obviously Malware is the biggest nightmare for\r\nall the entities, irrespective of its geographical location or nature of business. In this Era of Cyber War, Phishing e-mails with targeted macro malware are exponentially circulated by the Offenders across the Globe. Of course, the\r\neasiest weakness spotted by offenders is “Human Weakness”. Anyways offenders will stay fingers crossed,\r\nwhether the end user “allows” himself to respond these malicious attachments or simply “drops” the plan.\r\nAs a cautionary note, as we saw in this article, hack advises, hire a hacker, malware, hack tools and anything is\r\nnow easily available everywhere in the Internet and abundant in the deepest corners of the web. This is very scary\r\nright? , so a rigid security posture should be maintained by all the entities to defend these types of threats.\r\nWe should be in a position to tell boldly,\r\n“If the Offenders are finding new techniques and tactics, so are we”!!!\r\nFunny Note 🙂\r\nThe malware author of the above malware must be a fan of cartoon characters from the below file properties\r\ncomments:\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 19 of 20\n\nComments = “Billy the goat ate all the autorun.inf files…because Old McDonald was sick of all the\r\nviruses and worms on his farm”\r\nReferences\r\nhttps://blog.sensecy.com/tag/loki-bot/\r\nhttps://hackforums.net/showthread.php?tid=5456831\r\nhttps://www.scmagazine.com/floki-bot–a-zeus-wannabe-with-delusions-of-grandeur/article/569329/\r\nhttps://digital-forensics.sans.org/blog/2009/11/23/extracting-vb-macros-from-malicious-documents/\r\nSource: https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nhttps://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/\r\nPage 20 of 20\n\n https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/   \nWritten in C++. Works on Windows XP, Vista, 7, 8, 8.1. and Linux. UAC Bypass”\nBelow shown pictures are snips from the actual interface of main Loki Bot and\n   Page 11 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/"
	],
	"report_names": [
		"nefarious-macro-malware-drops-loki-bot-across-gcc-countries"
	],
	"threat_actors": [],
	"ts_created_at": 1775434300,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f48909394bfb8fce839e0d9ba1b7f1aa86e8633b.pdf",
		"text": "https://archive.orkl.eu/f48909394bfb8fce839e0d9ba1b7f1aa86e8633b.txt",
		"img": "https://archive.orkl.eu/f48909394bfb8fce839e0d9ba1b7f1aa86e8633b.jpg"
	}
}