On November 20, 2023, Cofense researchers published a report on a phishing campaign spreading DarkGate and Pikabot that is leveraging tactics previously used to deploy QakBot.
Context
Cofense researchers stated, “This campaign disseminates a high volume of emails to a wide range of industries, and due to the loader capabilities of the malware delivered, targets can be at risk of more sophisticated threats like reconnaissance malware and ransomware.”
Technical Detail
According to Cofense, “The campaign begins with a hijacked email thread to bait users into interacting with a URL that has added layers that limit access to the malicious payload only to users that meet specific requirements set by the threat actors (location and internet browser). This URL downloads a ZIP archive that contains a JS file that is a JS Dropper, which is a JavaScript application used to reach out to another URL to download and run malware. At this stage, a user has been successfully infected with either the DarkGate or PikaBot malware.”
Cofense researchers also noted:
- evasive tactics in the campaign such as leveraging hijacked email threads
- multiple droppers and loaders
- adaptive methods by threat actors over time
Community Perspective
DarkGate reporting by the community has risen significantly in the second half of 2023. Members have reported phishing campaigns delivering DarkGate leveraging Microsoft Teams lures and Skype themes as lures.
Interestingly, PikaBot has only been observed and reported once by the RH-ISAC community, in early November 2023.
QakBot, also called Qbot, previously ranked as a top malware reported by the RH-ISAC community and was shut down as part of a coordinated law enforcement effort in August 2023.
