In addition, the DarkGate loader has been equipped with numerous new features LokiBot targets cargo ship companies in phishing emails with Excel attachments.

Kaspersky's latest report highlights the current sophisticated infection tactics of the DarkGate, Emotet and LokiBot malware. DarkGate's unique encryption and Emotet's robust comeback, as well as LokiBot's ongoing exploits, underscore the need for an ever-evolving cybersecurity landscape.

After shutting down the infamous Emotet botnet in 2021, Kaspersky has now seen renewed activity. In the current campaign, users unknowingly trigger the execution of a hidden and disguised VBScript after opening a malicious OneNote file. The script then attempts to download a malicious payload from various websites until the system has been successfully infiltrated. Emotet then drops a DLL in the temporary directory and executes it. This DLL contains hidden commands or shellcode and encrypted import functions. By decrypting a specific file from the resource section, Emotet gains the upper hand and eventually executes its malicious payload.

In June 2023, Kaspersky experts discovered the new DarkGate loader, which is equipped with a variety of functions that go beyond typical downloader functions. These include hidden virtual network computing (VNC), disabling Windows Defender, stealing browser history, reverse proxy, unauthorized file management and tapping Discord tokens.

DarkGate works via a four-step chain designed to lead to the loading of DarkGate itself. The loader differs from others in its encryption method, which includes strings of personalized keys and a customized version of Base64 encoding that uses a special character set.

Kaspersky also discovered a phishing campaign targeting cargo shipping companies using LokiBot. LokiBot is an infostealer that was first identified in 2016 and is used by cybercriminals to steal credentials from various applications, including browsers and FTP clients.

In this campaign, emails were sent with an Excel attachment asking users to enable macros. To do this, the attackers exploited a known vulnerability (CVE-2017-0199) in Microsoft Office, which led to the download of an RTF document. This RTF document then uses another vulnerability (CVE-2017-11882) to inject and execute LokiBot malware.