DarkGate and Pikabot malware emerge as Qakbot’s successors

Trending 2 weeks ago

Hacker ecology a botnet

A adult phishing attack blame the DarkGate malware infections has afresh added the PikaBot malware into the mix, authoritative it the best beat phishing attack back the Qakbot operation was dismantled.

The awful email attack started in September 2023, afterwards the FBI seized and took bottomward QBot's (Qakbot) infrastructure.

In a new address by Cofense, advisers explain that the DarkGate and Pikabot campaigns use approach and techniques agnate to antecedent Qakbot campaigns, advertence that the Qbot blackmail actors accept now confused on to the newer malware botnets.

"This attack is assuredly a high-level blackmail due to the tactics, techniques, and procedures (TTPs) that accredit the phishing emails to ability advised targets as able-bodied as the beat capabilities of the malware actuality delivered." - Cofense.

As Qbot was one of the best common malware botnets broadcast through email, and both DarkGate and Pikabot are modular malware loaders with abounding of the aforementioned appearance as Qbot, this poses a acute accident to the enterprise.

Like Qbot, the the new malware loaders will be acclimated by blackmail actors to accretion antecedent acceptance to networks and acceptable to accomplish ransomware, espionage, and abstracts annexation attacks.

The acceleration of DarkGate and PikaBot campaignsThe acceleration of DarkGate and PikaBot campaigns
Source: Cofense

The DarkGate and Pikabot campaign

Over the accomplished Summer, there has been a massive access in awful emails blame the DarkGate malware, with the blackmail actors switching to installing Pikabot as the primary burden in October 2023.

The phishing advance begins with an email that is a acknowledgment or advanced of a baseborn altercation thread, which increases the likelihood of the recipients alleviative the advice with trust.

Phishing email acclimated in the campaignPhishing email acclimated in the campaign (Cofense)

Users beat on the anchored URL go through a alternation of checks that verify they are accurate targets and again prompt the ambition to download a ZIP annal absolute a malware dropper that fetches the final burden from a alien resource.

Cofense letters that the attackers experimented with assorted antecedent malware droppers to actuate which works the best, including:

  • JavaScript dropper for downloading and active PEs or DLLs.
  • Excel-DNA loader based on an open-source activity acclimated for creating XLL files, exploited actuality for downloading and active malware.
  • VBS (Virtual Basic Script) downloaders that can assassinate malware through .vbs files in Microsoft Office abstracts or adjure command-line executables.
  • LNK downloaders that bribery Microsoft adjustment files (.lnk) to download and assassinate malware.

The final burden acclimated in these attacks was the DarkGate malware through September 2023, which was replaced by PikaBot in October 2023.

DarkGate and PikaBot

DarkGate was aboriginal accurate in 2017, but it alone became accessible to the broader cybercrime association this accomplished summer, consistent in a spike in its distribution through phishing and malvertising.

It is an beat modular malware that supports a array of awful behaviors, including hVNC for alien access, cryptocurrency mining, about-face shell, keylogging, clipboard stealing, and advice burglary (files, browser data).

PikaBot is a newer malware aboriginal apparent in early 2023 that consists of a loader and a amount module, accumulation all-encompassing anti-debugging, anti-VM, and anti-emulation mechanisms.

The malware profiles adulterated systems and sends the abstracts to its command and ascendancy (C2) infrastructure, apprehension added instructions.

The C2 sends commands instructing the malware to download and assassinate modules in the anatomy of DLL or PE files, shellcode, or command-line commands, so it is a able tool.

Cofense warns that the PikaBot and DarkGate campaigns are run by abreast blackmail actors whose abilities are aloft those of accustomed phishers, so organizations charge accustom themselves with the TTPs for this campaign.