One cybersecurity firm spotted the re-emergence of Emotet, the discovery of a new sophisticated loader, and attempts to exploit old CVEs …

In June 2023, several trends were observed by researchers from Kaspersky in their own ecosystem.

First, they discovered a new loader named DarkGate that has an array of features that go beyond typical downloader functionality. Some of the notable capabilities include hidden Virtual Network Computing; Windows Defender exclusion; browser history stealing; reverse proxy; file management; and Discord token stealing. The loader’s operation involves a chain of four stages, intricately designed to lead to the loading of DarkGate itself. What sets this loader apart is its unique way of encrypting strings with personalized keys, and a custom version of Base64 encoding that utilizes a special character set.

Second, researchers noted that Emotet, a notorious botnet, had resurfaced after its takedown in 2021. In this latest campaign, users that had unwittingly opened the malicious OneNote files triggered the execution of a hidden and disguised VBScript. The script then attempted to download the harmful payload from various websites until successfully infiltrating the system. Once inside, Emotet could plant a dynamic link library in the temporary directory, then execute it. This DLL contains shellcode, along with encrypted import functions. By skillfully decrypting a specific file from its resource section, Emotet gains the upper hand, ultimately executing its malicious payload.

Thirdly, the firm detected a phishing campaign delivering LokiBot to targeted cargo ship firms. LokiBot is an infostealer first identified in 2016, and it is designed to steal credentials from various applications such as browsers and FTP clients. The phishing emails carried an Excel document attachment that prompted users to enable macros. The attackers then exploited a known vulnerability (CVE-2017-0199) in Microsoft Office, leading to the download of an RTF document that in turn leveraged another vulnerability (CVE-2017-11882) to deliver and execute the LokiBot malware. 

Kaspersky’s Senior Security Researcher, Jornt van der Wiel, noted:

“As malware strains adapt and adopt new infection methods, it is crucial for individuals and businesses to stay vigilant and invest in robust cybersecurity solutions.”