A highly sophisticated phishing effort has emerged, integrating the PikaBot malware into the well-established DarkGate campaign. This amalgamation marks a significant advancement in phishing tactics, rivaling the sophistication seen during the Qakbot operation’s dismantlement. This malicious email campaign surfaced in September 2023 following the FBI’s takedown of QBot’s infrastructure. According to a recent Cofense report, the DarkGate and Pikabot campaigns mirror strategies employed in previous Qakbot campaigns. This suggests that the threat actors behind Qbot have transitioned to newer malware botnets.
Given Qbot’s extensive reach as a malware botnet disseminated through email, the similarities between DarkGate, Pikabot, and Qbot’s functionalities pose a critical threat to enterprises. Both DarkGate and Pikabot function as modular malware loaders, sharing numerous features with Qbot, amplifying the risk to organizational security.
Similar to Qbot, these new malware loaders are anticipated to grant threat actors initial access to networks, likely facilitating ransomware, espionage, and data theft attacks.
The DarkGate and Pikabot campaign
During the recent summer months, there’s been a significant surge in malicious emails distributing the DarkGate malware. Notably, in October 2023, the threat actors made a switch, adopting Pikabot as their primary payload.
The phishing tactic initiates with an email, often a reply or forward of a stolen conversation thread. This approach heightens the likelihood of recipients trusting the communication.
Once users click on the embedded URL, a sequence of verification checks ensues to confirm their validity as targets. Subsequently, the target is prompted to download a ZIP archive containing a malware dropper, fetching the final payload from a remote source.
Cofense’s report indicates that the attackers conducted experiments with various initial malware droppers to ascertain the most effective ones, including:
- JavaScript dropper for downloading and executing PEs or DLLs.
- Excel-DNA loader derived from an open-source project used in creating XLL files, exploited for downloading and running malware.
- VBS (Virtual Basic Script) downloaders capable of executing malware via .vbs files in Microsoft Office documents or launching command-line executables.
- LNK downloaders abusing Microsoft shortcut files (.lnk) to download and execute malware.
Until September 2023, the final payload deployed in these attacks was the DarkGate malware. However, by October 2023, it was replaced by PikaBot.
DarkGate and PikaBot
DarkGate emerged in 2017 but only gained widespread availability within the cybercrime community this recent summer, causing a surge in its distribution through phishing and malvertising.
This advanced modular malware encompasses various malicious functionalities, such as hVNC for remote access, cryptocurrency mining, reverse shell capabilities, keylogging, clipboard theft, and information pilferage (including files and browser data).
In contrast, PikaBot, a newer malware observed in early 2023, comprises a loader and a core module equipped with robust anti-debugging, anti-VM, and anti-emulation features.
Upon infecting systems, the malware profiles them and transmits the data to its command and control (C2) infrastructure, awaiting further directives.
The C2 issues commands directing the malware to download and execute modules in the form of DLL or PE files, shellcode, or command-line instructions, rendering it a versatile tool.
Cofense raises concern that both PikaBot and DarkGate campaigns are orchestrated by adept threat actors whose expertise surpasses that of typical phishers. Consequently, organizations must familiarize themselves with the Tactics, Techniques, and Procedures (TTPs) associated with this campaign.
Source – https://www.bleepingcomputer.com/
