Phishing campaigns distributing malware families like DarkGate and PikaBot are employing tactics reminiscent of attacks associated with the now-defunct QakBot trojan.
Cofense, in a report shared with The Hacker News, noted that these tactics encompass the initiation of infections through hijacked email threads, the utilization of URLs featuring distinctive patterns restricting user access, and an infection chain closely mirroring previous QakBot delivery methods.
Additionally, the employed malware families align with the expectations for usage by QakBot affiliates.
QakBot’s Techniques in New Phishing Assaults
QakBot, alternatively known as QBot and Pinkslipbot, was dismantled in August as part of a coordinated law enforcement operation named Operation Duck Hunt.
The inclusion of DarkGate and PikaBot in these campaigns is unsurprising, given their ability to serve as conduits for delivering additional payloads to compromised hosts. This feature makes them attractive options for cybercriminals.
Zscaler highlighted the parallels between PikaBot and QakBot in its May 2023 analysis of the malware, emphasizing similarities in distribution methods, campaigns, and malware behaviors.
DarkGate employs sophisticated techniques to elude antivirus detection, including keystroke logging, PowerShell execution, and a reverse shell for remote control.
According to a recent technical report by Sekoia, the bidirectional connection enables attackers to send real-time commands, navigate the victim’s system, exfiltrate data, or carry out other malicious actions.
Cofense’s examination of the extensive phishing campaign reveals that it targets a diverse array of sectors. The attack chains involve the dissemination of a malicious URL within hijacked email threads, directing recipients to a booby-trapped ZIP archive.
Within the ZIP archive, a JavaScript dropper is embedded, which subsequently establishes contact with a second URL to download and execute either the DarkGate or PikaBot malware.
A notable variation of the attacks has been identified, wherein Excel add-in (XLL) files are utilized instead of JavaScript droppers to deliver the final payloads.
Cofense stated that a successful DarkGate or PikaBot infection could result in the deployment of advanced crypto mining software, reconnaissance tools, ransomware, or any other malicious file that threat actors intend to install on a victim’s machine.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment