A stealthy new attack distributes Loki malware in Microsoft Excel spreadsheets and other Office applications. The attack, which was discovered by Lastline Labs, is tough to detect in its early stages. It bypasses traditional antivirus and is often dismissed as a false positive because it relies on malicious “scriptlets” that are added to Office files using external links.
Earlier this month, Lastline published findings on a malicious Excel file with the ability to download and execute malware. They saw no evidence of macros, shellcode, or DDE functionality, and it showed a low detection on Virustotal, which typically indicates it’s either an unknown technique or a false positive.
Less than two weeks later, the malicious Excel scriptlet-laden spreadsheet garnered 12 detections on Virustotal across 60 AV tools, a sign it went from false positive to potential infection.
Read more about Loki malware which is built to steal credentials and is distributed via Microsoft Excel and other Office applications rigged with malicious ‘scriptlets’ to evade detection on DarkReading.