Phishing campaigns distributing malware families like DarkGate and PikaBot are employing tactics reminiscent of attacks associated with the now-defunct QakBot trojan.
Cofense, in a report shared with The Hacker News, noted that these tactics encompass the initiation of infections through hijacked email threads, the utilization of URLs featuring distinctive patterns restricting user access, and an infection chain closely mirroring previous QakBot delivery methods.
Additionally, the employed malware families align with the expectations for usage by QakBot affiliates.
QakBot’s Techniques in New Phishing Assaults
QakBot, alternatively known as QBot and Pinkslipbot, was dismantled in August as part of a coordinated law enforcement operation named Operation Duck Hunt.
The inclusion of DarkGate and PikaBot in these campaigns is unsurprising, given their ability to serve as conduits for delivering additional payloads to compromised hosts. This feature makes them attractive options for cybercriminals.
Zscaler highlighted the parallels between PikaBot and QakBot in its May 2023 analysis of the malware, emphasizing similarities in distribution methods, campaigns, and malware behaviors.
DarkGate employs sophisticated techniques to elude antivirus detection, including keystroke logging, PowerShell execution, and a reverse shell for remote control.
According to a recent technical report by Sekoia, the bidirectional connection enables attackers to send real-time commands, navigate the victim’s system, exfiltrate data, or carry out other malicious actions.
Cofense’s examination of the extensive phishing campaign reveals that it targets a diverse array of sectors. The attack chains involve the dissemination of a malicious URL within hijacked email threads, directing recipients to a booby-trapped ZIP archive.
Cofense stated that a successful DarkGate or PikaBot infection could result in the deployment of advanced crypto mining software, reconnaissance tools, ransomware, or any other malicious file that threat actors intend to install on a victim’s machine.