Kaspersky's new report uncovers intricate infection tactics of malware strains DarkGate, Emotet, and LokiBot. Amid DarkGate's unique encryption and Emotet's robust comeback, LokiBot exploits persist, illustrating the ever-advancing cybersecurity landscape.
In June 2023, Kaspersky's researchers discovered a new loader named DarkGate that boasts an array of features that go beyond typical downloader functionality. Some of the notable capabilities include hidden VNC, Windows Defender exclusion, browser history stealing, reverse proxy, file management, and Discord token stealing. DarkGate's operation involves a chain of four stages, intricately designed to lead to the loading of DarkGate itself. What sets this loader apart is its unique way of encrypting strings with personalised keys and a custom version of Base64 encoding, utilising a special character set.
Moreover, the Kaspersky’s research examines an activity of Emotet, a notorious botnet that resurfaced after its take down in 2021. In this latest campaign, users who unwittingly open the malicious OneNote files trigger the execution of a hidden and disguised VBScript. The script then attempts to download the harmful payload from various websites until successfully infiltrates the system. Once inside, Emotet plants a DLL in the temporary directory, then executes it. This DLL contains hidden instructions, or shellcode, along with encrypted import functions. By skillfully decrypting a specific file from its resource section, Emotet gains the upper hand, ultimately executing its malicious payload.
Finally, Kaspersky detected a phishing campaign targeting cargo ship companies that delivered LokiBot. It is an infostealer first identified in 2016, and designed to steal credentials from various applications, including browsers and FTP clients. These emails carried an Excel document attachment which prompted users to enable macros. The attackers exploited a known vulnerability (CVE-2017-0199) in Microsoft Office, leading to the download of an RTF document. This RTF document subsequently leveraged another vulnerability (CVE-2017-11882) to deliver and execute the LokiBot malware.
“Emotet's resurgence and the continuous presence of Lokibot as well as the appearance of DarkGate serve as stark reminders of the ever-evolving cyber threats we face. As these malware strains adapt and adopt new infection methods, it is crucial for individuals and businesses to stay vigilant and invest in robust cybersecurity solutions. Kaspersky's ongoing research and detection of DarkGate, Emotet, and Lokibot underscore the significance of proactive measures to protect against evolving cyber dangers,” comments Jornt van der Wiel, senior security researcher at Kaspersky’s Global Research and Analysis Team.
Learn more about new infection methods on Securelist.