Analysis by Kaspersky reveals intricate infection tactics used by malware strains. According to this, the famous Emotet botnet is reporting back using a new infection route via OneNote files and is attacking companies; In addition, the loader DarkGate has been equipped with numerous new features and LokiBot targets cargo ship companies in phishing emails with Excel attachments.
Kaspersky's latest report reveals the current sophisticated infection tactics used by DarkGate, Emotet, and LokiBot malware. DarkGate's unique encryption and Emotet's robust comeback and LokiBot's ongoing exploits underscore the need for an ever-evolving cybersecurity landscape.
Emotet uses OneNote file to run malicious scripts
After the infamous botnet Emotet was shut down in 2021, Kaspersky has now seen renewed activity. In the current campaign, users unknowingly trigger the execution of a hidden and disguised VBScript after opening a malicious OneNote file. The script then tries to download a malicious payload from various websites until the system is successfully infiltrated. After that, Emotet puts a DLL in the temporary directory and runs it. This DLL includes hidden commands or shellcode and encrypted import functions. By decrypting a specific file from the resource section, Emotet gains the upper hand and eventually executes its malicious payload.
DarkGate: more than typical downloader functions
In June 2023, Kaspersky experts discovered the new loader 'DarkGate', which is equipped with a variety of functions that go beyond typical downloader functions. These include hidden Virtual Network Computing (VNC), disabling Windows Defender, stealing browser history, reverse proxy, unauthorized file management and tapping Discord tokens. DarkGate works via a four-stage chain designed to lead to the loading of DarkGate itself. The loader differs from others in its encryption type, which includes character strings with personalized keys and a customized version of Base64 encoding that uses a special character set.
LokiBot targets cargo ship companies using Excel attachments
Additionally, Kaspersky discovered a phishing campaign targeting cargo shipping companies using LokiBot. First identified in 2016, LokiBot is an infostealer that cybercriminals use to steal login credentials from various applications, including browsers and FTP clients. This campaign sent emails with an Excel attachment asking users to enable macros. To do this, the attackers exploited a known vulnerability (CVE-2017-0199) in Microsoft Office, which led to the download of an RTF document. This RTF document then uses another vulnerability (CVE-2017-11882) to inject and run LokiBot malware.
"The return of Emotet, the continued presence of LokiBot, and the emergence of DarkGate are a reminder that cyber threats are constantly evolving," said Jornt van der Wiel, Senior Security Researcher in Kaspersky's Global Research & Analysis Team (GReAT). “As these malicious programs adapt and evolve new methods of infection, it is crucial for both individuals and businesses to be vigilant and invest in robust cybersecurity solutions. Our ongoing research and discovery of these malware strains underscores the importance of proactive security measures to protect against ever-evolving cyber threats.”
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/