Cofense researchers spotted a phishing campaign distributing the DarkGate and PikaBot malware that leverages evasive tactics and anti-analysis techniques previously seen in the QakBot campaigns.
The notorious Qakbot botnet that infected more than 700,000 computers globally and was linked to multiple attacks involving ransomware, financial fraud and other cybercriminal activity was dismantled in August 2023 as a result of an international law enforcement operation.
The Qakbot (aka QBot, QuackBot, and Pinkslipbot) malware infected victim machines primarily via spam emails with malicious attachments or links. Initially designed as a banking trojan, QakBot has received new capabilities over time. Other than permitting initial access to targeted networks, QakBot delivers other remote-access payloads, steals sensitive data, and helps lateral movement and remote code execution. Qakbot was used by many prolific ransomware groups, including Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. It was the most popular malware loader during the first seven months of 2023.
About a month after the takedown, cybersecurity researchers observed threat actors behind QakBot distributing the Ransom Knight ransomware and the Remcos backdoor, suggesting that the law enforcement operation may not have impacted Qakbot operators’ spam delivery infrastructure but rather only their command and control (C2) servers.
As for the DarkGate and PikaBot malware campaign, Cofense says it started in September 2023. The campaign followed tactics used in QakBot phishing campaigns, including hijacked email threads as the initial infection, URLs with unique patterns that limit user access, and an infection chain nearly identical to what was observed with QakBot delivery.
The campaign begins with a hijacked email thread to trick users into interacting with a URL that has added layers that limit access to the malicious payload only to users that meet specific requirements set by the threat actors (location and internet browser). This URL downloads a ZIP archive that contains a JS file designed to download and run malware. At this stage, a user has been successfully infected with either the DarkGate or PikaBot malware.
Both DarkGate and PikaBot are advanced malware with loader capabilities and anti-analysis behavior. First spotted in 2018, DarkGate is capable of cryptocurrency mining, credential theft, ransomware, and remote access. The malware has multiple methods of avoiding detection and two distinct methods of escalating privileges. DarkGate makes use of legitimate AutoIT files and typically runs multiple AutoIT scripts.
PikaBot is a new loader first seen in 2023. It implements several evasive techniques to avoid sandboxes, virtual machines, and other debugging techniques. It has been observed to exclude infecting machines in CIS (Commonwealth of Independent States) countries.
The campaign combines well-known evasive phishing tactics with techniques known to disrupt malware analysis processes. The threat actors distribute the phishing emails through hijacked email threads that may be obtained by exploiting Microsoft ProxyLogon vulnerabilities.
While the most common delivery mechanism seen in this campaign is JS droppers, the threat actors are making use of VBS downloaders, LNK downloaders, and Excel-DNA loaders. The use of the Excel-DNA loaders is noteworthy because it’s a relatively new delivery mechanism first seen in 2021, the researchers noted.
