Kaspersky crimeware report: Emotet, DarkGate and LokiBot

Three crimeware families—DarkGate, LokiBot, and Emotet—are described with their infection chains and capabilities, including a four-stage DarkGate loader, a LokiBot phishing campaign, and an Emotet resurgence via OneNote attachments. The report highlights memory-resident loading, string obfuscation, and credential harvesting across targets such as cargo logistics and enterprise users. #DarkGate #LokiBot #Emotet #OneNote #CVE-2017-0199 #CVE-2017-11882

Keypoints

The report introduces DarkGate as a loader with advanced capabilities (e.g., hidden VNC, Defender exclusions, browser history stealing) and reveals a four-stage infection chain leading to DarkGate execution.
LokiBot is used in a targeted phishing campaign against cargo/shipping sectors, leveraging CVE-2017-0199 and CVE-2017-11882 to drop the malware from Excel/RTF documents and steal credentials.
Emotet resurges via OneNote infection vectors, delivering a VBScript-based downloader that eventually loads the Emotet payload into memory.
DarkGate’s loader uses 17 Delphi TStringList variables to describe core functionality and employs unique string encryption with a custom Base64 variant.
Emotet uses memory-resident shellcode that decrypts embedded payloads, resolves imports dynamically, and reconstructs the Import Address Table to execute.
The report emphasizes the evolving malware landscape and positions threat intelligence as essential for staying protected against these campaigns.

MITRE Techniques

[T1105] Ingress Tool Transfer – Downloads payload components from the C2 and executes them. Quote: ‘Two files (Autoit3.exe and script.au3) are then downloaded from the C2, and Autoit3.exe is executed with script.au3 as an argument.’
[T1059] Command and Scripting Interpreter – VBScript and AutoIT V3 are used to stage execution. Quote: ‘The script is fairly simple. It sets several environment variables to obfuscate subsequent command invocations. Two files (Autoit3.exe and script.au3) are then downloaded from the C2, and Autoit3.exe is executed with script.au3 as an argument.’
[T1055] Process Injection – Shellcode constructs a PE in memory, resolves imports dynamically and transfers control to it. Quote: ‘The shellcode… constructs a PE file in the memory, resolves imports dynamically and transfers control to it.’
[T1027] Obfuscated/Compressed Files and Information – Strings encrypted with unique keys and a custom Base64 encoding scheme. Quote: ‘Each string is encrypted with a unique key and a custom version of Base64 encoding using a custom character set.’
[T1566.001] Phishing: Attachment – Victims receive phishing emails with Excel attachments. Quote: ‘victims received an email appearing to come from a business contact and stating port expenses that needed to be paid. Attached to the email was an Excel document.’
[T1203] Exploitation for Client Execution – The chain exploits CVE-2017-11882 via a crafted document to drop LokiBot. Quote: ‘This vulnerability makes it possible to open a remote document by providing a link. This results in downloading an RTF document, which in turn exploits another vulnerability, namely CVE-2017-11882.’
[T1555.003] Credentials in Web Browsers – LokiBot collects credentials from browsers and other applications and exfiltrates them. Quote: ‘Once executed, it collects credentials from various sources and saves into a buffer inside the malware, after which it sends them to the C2.’
[T1041] Exfiltration Over C2 Channel – Exfiltrated data is sent via HTTP POST to C2, compressed with APLib. Quote: ‘Data is sent via POST requests compressed with APLib.’

Indicators of Compromise

[MD5] LokiBot payloads – 31707f4c58be2db4fc43cba74f22c9e2, 2c5cf406f3e4cfa448b167751eaea73b
[MD5] DarkGate payloads – 1B9E9D90136D033A52D2C282503F33B7, 149DA23D732922B04F82D634750532F3
[MD5] Emotet payloads – 238f7e8cd973a386b61348ab2629a912, df3ee4fb63c971899e15479f9bca6853