DarkGate malware strain
In June 2023, Kaspersky’s researchers discovered a new loader named DarkGate that has multiple features that go beyond typical downloader functionality. Some of the notable capabilities include hidden VNC, Windows Defender exclusion, browser history stealing, reverse proxy, file management and Discord token stealing.
DarkGate’s operation involves a chain of four stages, designed to lead to the loading of the malware itself. This loader has a unique way of encrypting strings with personalised keys and a custom version of Base64 encoding, which utilises a special character set.
Emotet malware strain
Emotet is a botnet that resurfaced after it was taken down in 2021. The report also mentions that this malware’s activity has been recently recorded.
In this latest campaign, users who unwittingly open the malicious OneNote files trigger the execution of a hidden and disguised VBScript. The script then attempts to download the harmful payload from various websites until successfully infiltrates the system.
Once inside, Emotet plants a DLL in the temporary directory and then executes it. This DLL contains hidden instructions, or shellcode, along with encrypted import functions. By decrypting a specific file from its resource section, Emotet gains the upper hand, ultimately executing its malicious payload.
LokiBot malware strain
Kaspersky has also detected a phishing campaign targeting cargo ship companies that delivered LokiBot. It is an info stealer malware which was first identified in 2016. LokiBot is designed to steal credentials from various apps, including browsers and FTP clients.
These emails carried an Excel document attachment which prompted users to enable macros. The attackers exploited a known vulnerability (CVE-2017-0199) in Microsoft Office, leading to the download of an RTF document. This RTF document subsequently leveraged another vulnerability (CVE-2017-11882) to deliver and execute the LokiBot malware.