November 20, 2023 at 10:12AM
Phishing campaigns using DarkGate and PikaBot malware are utilizing tactics previously seen with QakBot trojan attacks. The malware families have similarities in distribution methods and behaviors to QakBot. DarkGate has advanced evasion techniques and remote control capabilities, while PikaBot can deliver additional payloads. The attacks target various sectors, spreading through booby-trapped URLs in hijacked email threads. The malware can install crypto mining software, reconnaissance tools, or ransomware on infected machines.
Based on the meeting notes, the key takeaways are:
1. Phishing campaigns are delivering malware families such as DarkGate and PikaBot using similar tactics previously used by the QakBot trojan.
2. Both DarkGate and PikaBot can act as conduits to deliver additional malicious payloads to compromised hosts.
3. DarkGate incorporates advanced techniques to evade antivirus detection and has capabilities like logging keystrokes, executing PowerShell, and implementing a bidirectional connection to commandeer infected hosts.
4. The high-volume phishing campaign targets a wide range of sectors and uses hijacked email threads containing booby-trapped URLs to propagate the attack chains.
5. The attack chains lead to downloading and running either DarkGate or PikaBot malware from a second URL.
6. A variant of the attacks uses Excel add-in (XLL) files instead of JavaScript droppers for delivering the final payloads.
7. A successful DarkGate or PikaBot infection could result in the installation of advanced crypto mining software, reconnaissance tools, ransomware, or any other malicious files chosen by the threat actors.
For more exclusive content, you can follow the company on Twitter and LinkedIn.