Emotet returns, Lokibot persists – Kaspersky reports on new infection methods
Kaspersky’s new report uncovers intricate infection tactics of malware strains DarkGate, Emotet, and LokiBot. Amid DarkGate’s unique encryption and Emotet’s robust comeback, LokiBot exploits persist, illustrating the ever-advancing cybersecurity landscape.
In June 2023, Kaspersky’s researchers discovered a new loader named DarkGate that boasts an array of features that go beyond typical downloader functionality. Some of the notable capabilities include hidden VNC, Windows Defender exclusion, browser history stealing, reverse proxy, file management, and Discord token stealing. DarkGate’s operation involves a chain of four stages, intricately designed to lead to the loading of DarkGate itself. What sets this loader apart is its unique way of encrypting strings with personalized keys and a custom version of Base64 encoding, utilizing a special character set.
Moreover, the Kaspersky’s research examines an activity of Emotet, a notorious botnet that resurfaced after its take down in 2021. In this latest campaign, users who unwittingly open the malicious OneNote files trigger the execution of a hidden and disguised VBScript. The script then attempts to download the harmful payload from various websites until successfully infiltrates the system. Once inside, Emotet plants a DLL in the temporary directory, then executes it. This DLL contains hidden instructions, or shellcode, along with encrypted import functions. By skillfully decrypting a specific file from its resource section, Emotet gains the upper hand, ultimately executing its malicious payload.
Finally, Kaspersky detected a phishing campaign targeting cargo ship companies that delivered LokiBot. It is an infostealer first identified in 2016, and designed to steal credentials from various applications, including browsers and FTP clients. These emails carried an Excel document attachment which prompted users to enable macros. The attackers exploited a known vulnerability (CVE-2017-0199) in Microsoft Office, leading to the download of an RTF document. This RTF document subsequently leveraged another vulnerability (CVE-2017-11882) to deliver and execute the LokiBot malware.
“Emotet’s resurgence and the continuous presence of Lokibot as well as the appearance of DarkGate serve as stark reminders of the ever-evolving cyber threats we face. As these malware strains adapt and adopt new infection methods, it is crucial for individuals and businesses to stay vigilant and invest in robust cybersecurity solutions. Kaspersky’s ongoing research and detection of DarkGate, Emotet, and Lokibot underscore the significance of proactive measures to protect against evolving cyber dangers,” comments Jornt van der Wiel, senior security researcher at Kaspersky’s Global Research and Analysis Team.
Learn more about new infection methods on Securelist.
To protect yourself and your business from ransomware attacks, consider following the rules proposed by Kaspersky:
Always keep the software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network.
Focus your defense strategy on detecting lateral movements and data leaks to the internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency.
Activate ransomware protection on all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits and is compatible with already installed security solutions.
Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Expert Security framework.
Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access to Kaspersky’s TI, providing cyberattack data and insights collected by our team over the last 20 years. To help businesses deliver effective defenses in these turbulent times, Kaspersky has announced it is providing access to independent, continuously updated and globally sourced information on current cyberattacks and threats free of charge. Request access to this offer here.
