Kaspersky’s Latest Findings Uncover Complex Infection Strategies of DarkGate, Emotet, and LokiBot Malware Variants
In a recent report by Kaspersky, detailed insights into the sophisticated infection methodologies employed by malware strains DarkGate, Emotet, and LokiBot have been unveiled. Amid the resurgence of Emotet and the persistent activities of LokiBot, the evolving landscape of cybersecurity is vividly illustrated.
During the month of June 2023, Kaspersky’s diligent researchers unearthed a novel loader named DarkGate, which introduces a myriad of functionalities surpassing conventional downloader capabilities. Of particular note are its concealed VNC, Windows Defender evasion, browser history pilfering, reverse proxy, file management, and Discord token theft features. The operation of DarkGate involves a meticulously orchestrated sequence of four stages, each intricately designed to culminate in the successful loading of DarkGate itself. Its distinctive element lies in the utilization of personalized keys for string encryption, coupled with a bespoke variant of Base64 encoding, leveraging a unique character set.
Furthermore, Kaspersky’s investigation delved into the activities of Emotet, a notorious botnet that resurfaced after its suppression in 2021. In its latest campaign, unwitting users who open malicious OneNote files unwittingly trigger the execution of a surreptitious VBScript. This script, in turn, endeavors to acquire the malicious payload from diverse websites until it successfully infiltrates the targeted system. Once ensconced, Emotet implants a DLL in the temporary directory, subsequently initiating its execution. Concealed within this DLL are cryptic instructions, or shellcode, coupled with encrypted import functions. A shrewd decryption of a specific file within its resource section grants Emotet the upper hand, culminating in the execution of its nefarious payload.
Kaspersky’s vigilant eye also detected a phishing campaign aimed at maritime cargo companies, distributing the LokiBot infostealer. Originating in 2016, LokiBot is designed to pilfer credentials from a range of applications, encompassing browsers and FTP clients. The campaign employed emails containing Excel document attachments, luring recipients into enabling macros. Exploiting a known vulnerability (CVE-2017-0199) within Microsoft Office, this maneuver led to the acquisition of an RTF document. This document, in turn, harnessed another vulnerability (CVE-2017-11882) to facilitate the download and execution of the LokiBot malware.
Jornt van der Wiel, a senior security researcher within Kaspersky’s Global Research and Analysis Team, emphasizes, “The resurgence of Emotet and the enduring presence of LokiBot, alongside the emergence of DarkGate, stand as stark reminders of the ever-evolving cyber threats we confront. As these malware strains adapt and innovate new infection techniques, it remains paramount for both individuals and enterprises to remain vigilant and invest in robust cybersecurity solutions.” He emphasizes the significance of Kaspersky’s continued research and identification of DarkGate, Emotet, and LokiBot as an affirmation of the necessity for proactive measures against the continually evolving realm of cyber risks.
For deeper insights into these new infection methodologies, visit Securelist.
To fortify your personal and business defenses against ransomware attacks, Kaspersky suggests adhering to the following guidelines:
– Maintain up-to-date software across all devices to prevent vulnerability exploitation and unauthorized network access.
– Prioritize defense strategies that detect lateral movements and potential data breaches to the internet. Monitor outgoing traffic for connections to cybercriminal networks. Establish offline backups that remain impervious to tampering.
– Activate ransomware protection on all endpoints. Kaspersky provides a free Anti-Ransomware Tool for Business, designed to safeguard computers and servers from ransomware, malware, and exploits. It seamlessly integrates with existing security solutions.
– Implement anti-APT (Advanced Persistent Threat) and EDR (Endpoint Detection and Response) solutions, enabling advanced threat detection, investigation, and timely incident remediation. Continuously equip your Security Operations Center (SOC) team with the latest threat intelligence and professional training. All these features are encompassed within the Kaspersky Expert Security framework.
– Empower your SOC team with up-to-the-minute threat intelligence through the Kaspersky Threat Intelligence Portal, a comprehensive repository of data and insights amassed over two decades. To assist businesses in fortifying their defenses amidst these turbulent times, Kaspersky extends access to independent, continuously updated global cyberattack and threat information free of charge. Request access to this invaluable resource here.
