Researchers at Cofense have recently uncovered a sophisticated phishing campaign that emerged in September. This campaign, believed to be linked to the QakBot operation, utilizes advanced tactics and evasive techniques to distribute malware and gain unauthorized access.
Description
The phishing campaign begins by distributing DarkGate malware, which is later replaced by PikaBot. These loaders have the ability to perform various malicious activities, including cryptocurrency mining [1] [5], credential theft [5], ransomware attacks, and remote access [5]. DarkGate employs legitimate AutoIT files and multiple scripts [5], while PikaBot is a newly developed loader equipped with evasive techniques to avoid detection.
The campaign employs tactics similar to previous QakBot phishing campaigns [2], such as hijacked email threads and unique URL patterns [4] [5]. It also utilizes an infection chain that resembles QakBot delivery. By exploiting the Microsoft ProxyLogon vulnerability [5], the threat actors impersonate administrators in hijacked email threads, gaining trust from their targets.
The most common delivery mechanism in this campaign is JS Droppers [5], which Cofense Intelligence has diligently tracked and documented [5]. Phishing campaigns utilizing DarkGate and PikaBot have been observed, suggesting a connection to the same threat actors behind the QakBot operation. These malware families are attractive to cybercriminals due to their ability to deliver additional payloads to compromised hosts.
DarkGate is particularly adept at evading antivirus detection and has the capability to log keystrokes, execute PowerShell commands [3], and implement a reverse shell for remote control [1] [3]. The high-volume phishing campaign targets various sectors and employs booby-trapped URLs in hijacked email threads to deliver a JavaScript dropper that downloads and runs DarkGate or PikaBot [3]. An alternative variant of the attacks uses Excel add-in files [3] [4].
Conclusion
The discovery of this highly advanced and evasive phishing campaign has significant implications for cybersecurity. Organizations must remain vigilant and implement robust security measures to mitigate the risk of falling victim to such attacks. Additionally, the connection to the QakBot operation highlights the need for ongoing research and collaboration to stay ahead of evolving cyber threats. By understanding the tactics and techniques employed by threat actors, we can better protect ourselves and our systems from future attacks.
References
[1] https://teknomers.com/fr/darkgate-et-pikabot-malware-ressuscitent-les-tactiques-de-qakbot-dans-de-nouvelles-attaques-de-phishing/
[2] https://thecyberwire.com/podcasts/daily-podcast/1951/transcript
[3] https://owasp.or.id/2023/11/20/darkgate-and-pikabot-malware-resurrect-qakbots-tactics-in-new-phishing-attacks/
[4] https://thehackernews.com/2023/11/darkgate-and-pikabot-malware-resurrect.html
[5] https://securityboulevard.com/2023/11/are-darkgate-and-pikabot-the-new-qakbot/
