These three malware strains are infecting internet users, here’s how – Times of India

These three malware strains are infecting internet users, here’s how - Times of India


Three different malware strains are using tricky methods to trap users on the internet. According to a report by Kaspersky, three malware strains — DarkGate, Emotet, and LokiBot are using “intricate infection tactics” to steal user data. The security research company has explained how the ever-advancing cybersecurity landscape is being affected by “DarkGate’s unique encryption, Emotet‘s robust comeback and LokiBot exploits”.

DarkGate malware strain
In June 2023, Kaspersky’s researchers discovered a new loader named DarkGate that has multiple features that go beyond typical downloader functionality. Some of the notable capabilities include hidden VNC, Windows Defender exclusion, browser history stealing, reverse proxy, file management and Discord token stealing.

DarkGate’s operation involves a chain of four stages, designed to lead to the loading of the malware itself. This loader has a unique way of encrypting strings with personalised keys and a custom version of Base64 encoding, which utilises a special character set.
Emotet malware strain
Emotet is a botnet that resurfaced after it was taken down in 2021. The report also mentions that this malware’s activity has been recently recorded.

In this latest campaign, users who unwittingly open the malicious OneNote files trigger the execution of a hidden and disguised VBScript. The script then attempts to download the harmful payload from various websites until successfully infiltrates the system.
Once inside, Emotet plants a DLL in the temporary directory and then executes it. This DLL contains hidden instructions, or shellcode, along with encrypted import functions. By decrypting a specific file from its resource section, Emotet gains the upper hand, ultimately executing its malicious payload.
LokiBot malware strain
Kaspersky has also detected a phishing campaign targeting cargo ship companies that delivered LokiBot. It is an info stealer malware which was first identified in 2016. LokiBot is designed to steal credentials from various apps, including browsers and FTP clients.
These emails carried an Excel document attachment which prompted users to enable macros. The attackers exploited a known vulnerability (CVE-2017-0199) in Microsoft Office, leading to the download of an RTF document. This RTF document subsequently leveraged another vulnerability (CVE-2017-11882) to deliver and execute the LokiBot malware.


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *