Kaspersky Reveals Complex Infection Tactics From DarkGate, Emotet, And LokiBot Malware Types
JAKARTA - Kaspersky's latest report reveals the complex infection tactics of DarkGate, Emotet, and LokiBot malware types. Amid the unique encryption of DarkGate and the strong return of Emotet, LokiBot's exploit persists, describing the growing landscape of cybersecurity.
In June 2023, Kaspersky researchers managed to find a new loader named DarkGate that offers a series of features beyond the usual download function, such as hidden VNC, Windows Defender exemption, browser history theft, reverse proxy, file management, and Discord token theft.
This loader differentiator with the others is a unique way of encrypting strings with personalized keys and a custom version of Base64 coding, using a special character series.
In addition, Kaspersky's research also found Emotet activity, a well-known botnet that reappeared after being removed in 2021. In this latest campaign, an unconscious user opening a malicious OneNote file triggered a hidden and disguised VBScript execution.
Skrip then tried to download dangerous payloads from various websites to successfully infiltrate the system. Once entered, Emotet planted DLL in the temporary directory, then started it.
VOIR éGALEMENT:
This DLL contains hidden instructions, or shell codes, along with encrypted import functions. Through the decryption skills of certain files from parts of its resources, the Emotet excels, ultimately executing its dangerous payloads.
Finally, Kaspersky also managed to detect a phishing campaign targeting cargo ship companies shipping LokiBot. the campaign is designed to steal credentials from various applications, including FTP browsers and clients.
According to the cybersecurity company, this email carries an attachment to Excel documents that encourage users to activate macro. The attacker exploits a known vulnerability (CVE-2017-0199) in Microsoft Office, leading to downloading RTF documents. This RTF document then takes advantage of another vulnerability (CVE-2017-11882) to deliver and execute LokiBot malware.