Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label DarkGate. Show all posts

After Qakbot, DarkGate and Pikabot Emerge as the New Notorious Malware


The PikaBot malware has been added to the already complicated phishing campaign that is transmitting the darkGate malware infections, making it the most sophisticated campaign since the Qakbot operation was taken down.

The phishing email campaign began in September 2023, right after the FBI took down the Qbot (Qakbot) infrastructure. 

In a report recently published by Cofense, researchers explain that the DarkGate and Pikabot operations employ strategies and methods that are reminiscent of earlier Qakbot attacks, suggesting that the threat actors behind Qbot have now shifted to more recent malware botnets.

"This campaign is undoubtedly a high-level threat due to the tactics, techniques, and procedures (TTPs) that enable the phishing emails to reach intended targets as well as the advanced capabilities of the malware being delivered," the report reads. 

This presents a serious risk to the organization because DarkGate and Pikabot are modular malware loaders that have many of the same features as Qbot, and Qbot was one of the most widely used malware botnets that were spread by malicious email.

Threat actors would likely utilize the new malware loaders, like Qbot, to get initial access to networks and carry out ransomware, espionage, and data theft assaults.

The DarkGate and Pikabot Campaign

Earlier this year, there had been a dramatic surge in malicious emails promoting the DarkGate ransomware. Starting in October 2023, threat actors have begun using Pikabot as the main payload.

This phishing attack takes place by sending an email – that is a reply or forward of a stolen discussion threat – to the targeted victims, who trust the fraudulent communications. 

After clicking on the embedded URL, users are prompted to download a ZIP file containing a malware dropper that retrieves the final payload from a remote location. These tests ensure that the users are legitimate targets.

According to Cofense, the attackers tested a number of early malware droppers to see which one worked best, including:

  • JavaScript dropper for downloading and executing PEs or DLLs. 
  • Excel-DNA loader based on an open-source project used in developing XLL files, exploited here for installing and running malware. 
  • VBS (Virtual Basic Script) downloaders that can execute malware via .vbs files in Microsoft Office documents or invoke command-line executables. 
  • LNK downloaders that exploit Microsoft shortcut files (.lnk) to download and execute malware.
  • As of September 2023, the DarkGate malware served as the ultimate payload for these attacks. In October 2023, PikaBot took its place.

DarkGate and PikaBot

DarkGate first came to light in 2017, however only became available to the threat actors past summer. As a result, its contribution to conducting phishing attacks and malvertising increases.

This sophisticated modular malware may perform a wide range of malicious actions, such as keylogging, bitcoin mining, reverse shelling, hVNC remote access, clipboard theft, and information (files, browser data) theft.

PikaBot, on the other hand, was discovered much recently in 2023. It consists of a loader and a core module, slotting in extensive anti-debugging, anti-VM, and anti-emulation mechanisms.

The malware profiles targeted systems and transfers the data to its command and control (C2) infrastructure, awaiting additional instructions.

The C2 delivers the commands to the malware that order it to download and run modules in the form of DLL or PE files, shellcode, or command-line commands.

Cofense has further cautioned that PikaBot and DarkGarw campaigns are being conducted by threat actors who are conversant with what they are doing and that their capabilities are top-of-the-line. Thus, organizations must be thoroughly introduced to the TTPs for this phishing campaign.  

DarkGate Using its New Variant MSI to Harm Your System

 

In the last month, the Netskope Threat Labs team noticed a big increase in malware being spread through SharePoint. This happened because some cyber attackers used Microsoft Teams and SharePoint to trick people into downloading the malware, called DarkGate. DarkGate is a malware that was first found in 2018. It has been used in many attacks recently. 

People like using DarkGate because it can do a lot of harmful things like taking control of a computer, recording what you type, stealing information, and even downloading more bad software. DarkGate can also be used to start even bigger attacks, like locking up your files and asking for money to unlock them. 

Recently, Netskope found a new version of DarkGate being spread using a special file called MSI. They used a method similar to something called Cobalt Strike Beacon to make it work. 

Let’s take a closer look at how MSI will infect your system 

The infection process begins with a deceptive email that pretends to be an invoice. This email carries a PDF document, which, when opened, reveals a template resembling a DocuSign document. This is designed to trick the user into thinking they need to review a document. When the user clicks on the document, it triggers the execution of an MSI file. This sets off a series of steps that load various elements, all contained within another file known as a CAB file, which is stored inside the MSI. 

Additionally, Trend Micro has noted that the DarkGate operators have attempted to distribute their malware through Microsoft Teams in organizations that allow messages from external users. In the past, Truesec and MalwareBytes have identified phishing campaigns in Teams that utilize harmful VBScript to deploy the DarkGate malware. 

Despite its age, DarkGate remains a prominent threat, exhibiting heightened activity in recent times. The DarkGate malware loader has witnessed a substantial surge in cybercriminal interest, becoming a favoured tool for gaining initial access to corporate networks. This uptick in usage garnered attention, especially after the successful disruption of the Qakbot botnet in August, underscoring the impact of international collaborative efforts. 

In the lead-up to the dismantling of the Qakbot botnet, an individual claiming to be DarkGate's developer sought to peddle subscriptions on a hacking forum, floating the possibility of an annual fee as high as $100,000. 

Various campaigns have employed diverse delivery and loading techniques, accompanied by the introduction of new malware functionalities. This demands vigilant efforts from the security community. Netskope Threat Labs is committed to monitoring the evolution of DarkGate malware and its Tactics, Techniques, and Procedures (TTPs).