Phishing campaigns delivering malware households equivalent to DarkGate and PikaBot are following the identical techniques beforehand utilized in assaults leveraging the now-defunct QakBot trojan.
“These embody hijacked e-mail threads because the preliminary an infection, URLs with distinctive patterns that restrict consumer entry, and an an infection chain almost similar to what we’ve seen with QakBot supply,” Cofense mentioned in a report shared with The Hacker Information.
“The malware households used additionally observe go well with to what we’d anticipate QakBot associates to make use of.”
QakBot, additionally referred to as QBot and Pinkslipbot, was shut down as a part of a coordinated legislation enforcement effort codenamed Operation Duck Hunt earlier this August.
Using DarkGate and PikaBot in these campaigns is no surprise as they’ll each act as conduits to ship extra payloads to compromised hosts, making them each a beautiful possibility for cybercriminals.
PikaBot’s parallels to QakBot have been beforehand highlighted by Zscaler in its evaluation of the malware in Might 2023, noting similarities within the “distribution strategies, campaigns, and malware behaviors.”
DarkGate, for its half, incorporates superior methods to evade detection by antivirus techniques, alongside capabilities to log keystrokes, execute PowerShell, and implement a reverse shell that permits its operators to commandeer an contaminated host remotely.
“The connection is bidirectional, which means the attackers can ship instructions and obtain responses in real-time, enabling them to navigate the sufferer’s system, exfiltrate information, or carry out different malicious actions,” Sekoia mentioned in a brand new technical report of the malware.
Cofense’s evaluation of the high-volume phishing marketing campaign exhibits that it targets a variety of sectors, with the assault chains propagating a booby-trapped URL pointing to a ZIP archive in hijacked e-mail threads.
The ZIP archive incorporates a JavaScript dropper that, in flip, contacts a second URL to obtain and run both the DarkGate or PikaBot malware.
A noteworthy variant of the assaults has been noticed profiting from Excel add-in (XLL) information in lieu of JavaScript droppers to ship the ultimate payloads.
“A profitable DarkGate or PikaBot an infection might result in the supply of superior crypto mining software program, reconnaissance instruments, ransomware, or another malicious file the menace actors want to set up on a sufferer’s machine,” Cofense mentioned.