November 21, 2023 at 10:56AM
A sophisticated phishing campaign using DarkGate and PikaBot malware is posing a significant threat to organizations. The campaign began after the takedown of the Qakbot operation and is considered one of the most advanced since then. The attackers employ tactics similar to the previous Qakbot campaigns, indicating a shift to newer malware botnets. The malware loaders are used to gain initial access to networks and carry out ransomware, espionage, and data theft attacks. Organizations should be aware of the tactics, techniques, and procedures (TTPs) used in this campaign.
Key takeaways from the meeting notes:
1. There is a sophisticated phishing campaign currently active that combines DarkGate and PikaBot malware. This campaign is considered a high-level threat due to the advanced capabilities of the malware and the tactics used to deliver phishing emails.
2. The campaign started after the FBI took down the QBot (Qakbot) infrastructure in September 2023, indicating that the threat actors behind QBot have now moved on to these newer malware botnets.
3. The DarkGate and PikaBot campaigns employ similar tactics and techniques as previous Qakbot campaigns, posing a dire risk to enterprises.
4. Both DarkGate and PikaBot are modular malware loaders with features similar to QBot, suggesting that they will be used by threat actors for initial network access, ransomware attacks, espionage, and data theft.
5. The phishing attack in this campaign begins with emails that are replies or forwards of stolen discussion threads, increasing the likelihood of recipients trusting the communication.
6. Users who click on embedded URLs go through numerous checks to verify they are valid targets. They are then prompted to download a ZIP archive containing a malware dropper that fetches the final payload from a remote resource.
7. The attackers experimented with different initial malware droppers, including JavaScript droppers, Excel-DNA loaders, VBS downloaders, and LNK downloaders.
8. DarkGate malware, first documented in 2017, became widely distributed in the past summer through phishing and malvertising. It supports various malicious behaviors such as remote access, cryptocurrency mining, keylogging, and information stealing.
9. PikaBot is a newer malware first observed in early 2023. It consists of a loader and a core module with extensive anti-debugging and anti-emulation mechanisms. PikaBot profiles infected systems and waits for instructions from its command and control infrastructure.
10. The DarkGate and PikaBot campaigns are run by knowledgeable threat actors, posing a higher risk than ordinary phishers. Organizations should familiarize themselves with the tactics, techniques, and procedures (TTPs) of this campaign.