New infection methods for Emotet, DarkGate and LokiBot

In addition, the DarkGate loader has been equipped with numerous new features LokiBot targets cargo ship companies in phishing emails with Excel attachments.

Kaspersky's latest report highlights the current intricate infection tactics of the DarkGate, Emotet and LokiBot malware. DarkGate's unique encryption and Emotet's robust comeback, as well as LokiBot's ongoing exploits, underscore the need for an ever-evolving cybersecurity landscape.

After the infamous Emotet botnet was shut down in 2021, Kaspersky has now recorded renewed activity. In the current campaign, users unknowingly trigger the execution of a hidden and disguised VBScript after opening a malicious OneNote file. The script then attempts to download a malicious payload from various websites until the system has been successfully infiltrated. Emotet then drops a DLL in the temporary directory and executes it. This DLL contains hidden commands or shellcode and encrypted import functions. By decrypting a specific file from the resource section, Emotet gains the upper hand and finally executes its malicious payload.

In June 2023, Kaspersky's experts discovered the new DarkGate loader, which is equipped with a variety of functions that go beyond typical downloader functions. These include hidden virtual network computing (VNC), disabling Windows Defender, stealing browser history, reverse proxy, unauthorized file management and tapping Discord tokens.

DarkGate works via a four-step chain that is designed to lead to the loading of DarkGate itself. The loader differs from others in its encoding method, which includes strings of personalized keys and a customized version of Base64 encoding that uses a special character set.

In addition, Kaspersky discovered a phishing campaign targeting cargo shipping companies using LokiBot. LokiBot is an infostealer that was first identified in 2016 and is used by cybercriminals to steal login credentials from various applications, including browsers and FTP clients.

In this campaign, emails were sent with an Excel attachment asking users to activate macros. The attackers exploited a known vulnerability (CVE-2017-0199) in Microsoft Office, which led to the download of an RTF document. This RTF document then uses another vulnerability (CVE-2017-11882) to inject and execute LokiBot malware.