Recent phishing campaigns have taken a page from the playbook of the defunct QakBot trojan, employing similar tactics in their approach. DarkGate and PikaBot, two malware families, are now being utilized in phishing campaigns, replicating methods that were previously characteristic of QakBot’s operations.
These strategies involve hijacking email threads for initial infections and utilizing URLs with unique patterns that restrict user access, closely mirroring QakBot’s delivery methods. Notably, the malware families involved in these campaigns closely resemble the types that were typically associated with QakBot-affiliated attacks, illustrating a resurgence of older attack methodologies in contemporary cybercrime.
The termination of QakBot, also known as QBot and Pinkslipbot, was a result of the coordinated law enforcement operation termed Operation Duck Hunt, conducted earlier in August. The reemergence of similar attack strategies using DarkGate and PikaBot doesn’t come as a surprise, given that both can serve as conduits to deliver additional payloads to compromised systems, making them an appealing choice for cybercriminals seeking to maximize the impact of their attacks.
Zscaler’s analysis of PikaBot in May 2023 had previously underscored its similarities to QakBot, emphasizing resemblances in distribution methods, campaigns, and malware behaviors.
These phishing campaigns, detailed in a Cofense report, exhibit a wide-reaching impact, targeting various sectors. The attack chains begin with booby-trapped URLs, concealed within hijacked email threads, that direct victims to ZIP archives containing JavaScript droppers. These JavaScript droppers subsequently access a second URL to download and execute either DarkGate or PikaBot malware.
Additionally, a variant of these attacks has been observed deploying Excel add-in (XLL) files instead of JavaScript droppers to deliver the final malicious payloads. Such infections could potentially lead to the deployment of advanced crypto mining tools, reconnaissance software, ransomware, or other malicious files, underscoring the severity and versatility of these phishing attacks leveraging DarkGate and PikaBot.
