Malware: New infection methods for Emotet, DarkGate, and LokiBot

A new analysis by Kaspersky reveals intricate infection tactics used by malware strains. Accordingly, the famous reportsBotnet Emotet Using New Infection Route Via OneNote Files, Attacks Enterprises; In addition, the loader DarkGate has been equipped with numerous new features and LokiBot targets cargo ship companies in phishing emails with Excel attachments.

Kaspersky’s latest report reveals the current sophisticated infection tactics used by DarkGate, Emotet , and LokiBot malware . DarkGate’s unique encryption and Emotet’s robust comeback and LokiBot’s ongoing exploits underscore the need for an ever-evolving cybersecurity landscape.

Emotet uses OneNote file to run malicious scripts

After the infamous botnet Emotet was shut down in 2021, Kaspersky has now seen renewed activity. In the current campaign, users unknowingly trigger the execution of a hidden and disguised VBScript after opening a malicious OneNote file. The script then tries to download a malicious payload from various websites until the system is successfully infiltrated. After that, Emotet puts a DLL in the temporary directory and runs it. This DLL includes hidden commands or shellcode and encrypted import functions. By decrypting a specific file from the resource section, Emotet gains the upper hand and eventually executes its malicious payload.

DarkGate: more than typical downloader functions

In June 2023, Kaspersky experts discovered the new loader ‘DarkGate’, which is equipped with a variety of functions that go beyond typical downloader functions. These include hidden Virtual Network Computing (VNC), disabling Windows Defender, stealing browser history, reverse proxy, unauthorized file management and tapping Discord tokens. DarkGate works via a four-stage chain designed to lead to the loading of DarkGate itself. The loader differs from others in its encryption type, which includes character strings with personalized keys and a customized version of Base64 encoding that uses a special character set.

LokiBot targets cargo ship companies using Excel attachments

Additionally, Kaspersky discovered a phishing campaign targeting cargo ship companies using LokiBot. First identified in 2016, LokiBot is an infostealer that cybercriminals use to steal login credentials from various applications, including browsers and FTP clients. This campaign sent emails with an Excel attachment asking users to enable macros. To do this, the attackers exploited a known vulnerability (CVE-2017-0199) in Microsoft Office, which led to the download of an RTF document. This RTF document then uses another vulnerability (CVE-2017-11882) to inject and run LokiBot malware.

“The return of Emotet, the continued presence of LokiBot, and the emergence of DarkGate are a reminder that cyber threats are constantly evolving,” said Jornt van der Wiel, Senior Security Researcher in Kaspersky’s Global Research & Analysis Team (GReAT). “As these malicious programs adapt and evolve new methods of infection, it is crucial for both individuals and businesses to be vigilant and invest in robust cybersecurity solutions. Our ongoing research and discovery of these malware strains underscores the importance of proactive security measures to protect against ever-evolving cyber threats.”

Kaspersky recommendations for protection against malware

  • Keep software up to date on all devices to prevent attackers from exploiting vulnerabilities and infiltrating the network.
  • Focus the defense strategy on detection of lateral movement and data leakage on the Internet. Pay particular attention to outbound traffic to detect cybercriminals’ connections to a network.
  • Set up offline backups that cannot be tampered with. Ensuring that this data can be accessed quickly when needed or in the event of an emergency.
  • Activate ransomware protection on all end devices. The Kaspersky Anti-Ransomware Tool for Business, available free of charge, protects computers and servers against ransomware and other types of malware, prevents exploits and is compatible with already installed security solutions.
  • Install anti-APT and EDR solutions that enable capabilities for advanced threat detection, investigation and timely remediation of incidents. Provide the SOC team with access to the latest threat data and provide regular professional training. All this is possible within the framework of Kaspersky Expert Security.
  • Grant the SOC team access to the latest threat intelligence (TI), for example through the Kaspersky Threat Intelligence Portal. This offers cyber attack data and insights from over 25 years of research.


(c) it-daily