Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label QBot. Show all posts

After Qakbot, DarkGate and Pikabot Emerge as the New Notorious Malware


The PikaBot malware has been added to the already complicated phishing campaign that is transmitting the darkGate malware infections, making it the most sophisticated campaign since the Qakbot operation was taken down.

The phishing email campaign began in September 2023, right after the FBI took down the Qbot (Qakbot) infrastructure. 

In a report recently published by Cofense, researchers explain that the DarkGate and Pikabot operations employ strategies and methods that are reminiscent of earlier Qakbot attacks, suggesting that the threat actors behind Qbot have now shifted to more recent malware botnets.

"This campaign is undoubtedly a high-level threat due to the tactics, techniques, and procedures (TTPs) that enable the phishing emails to reach intended targets as well as the advanced capabilities of the malware being delivered," the report reads. 

This presents a serious risk to the organization because DarkGate and Pikabot are modular malware loaders that have many of the same features as Qbot, and Qbot was one of the most widely used malware botnets that were spread by malicious email.

Threat actors would likely utilize the new malware loaders, like Qbot, to get initial access to networks and carry out ransomware, espionage, and data theft assaults.

The DarkGate and Pikabot Campaign

Earlier this year, there had been a dramatic surge in malicious emails promoting the DarkGate ransomware. Starting in October 2023, threat actors have begun using Pikabot as the main payload.

This phishing attack takes place by sending an email – that is a reply or forward of a stolen discussion threat – to the targeted victims, who trust the fraudulent communications. 

After clicking on the embedded URL, users are prompted to download a ZIP file containing a malware dropper that retrieves the final payload from a remote location. These tests ensure that the users are legitimate targets.

According to Cofense, the attackers tested a number of early malware droppers to see which one worked best, including:

  • JavaScript dropper for downloading and executing PEs or DLLs. 
  • Excel-DNA loader based on an open-source project used in developing XLL files, exploited here for installing and running malware. 
  • VBS (Virtual Basic Script) downloaders that can execute malware via .vbs files in Microsoft Office documents or invoke command-line executables. 
  • LNK downloaders that exploit Microsoft shortcut files (.lnk) to download and execute malware.
  • As of September 2023, the DarkGate malware served as the ultimate payload for these attacks. In October 2023, PikaBot took its place.

DarkGate and PikaBot

DarkGate first came to light in 2017, however only became available to the threat actors past summer. As a result, its contribution to conducting phishing attacks and malvertising increases.

This sophisticated modular malware may perform a wide range of malicious actions, such as keylogging, bitcoin mining, reverse shelling, hVNC remote access, clipboard theft, and information (files, browser data) theft.

PikaBot, on the other hand, was discovered much recently in 2023. It consists of a loader and a core module, slotting in extensive anti-debugging, anti-VM, and anti-emulation mechanisms.

The malware profiles targeted systems and transfers the data to its command and control (C2) infrastructure, awaiting additional instructions.

The C2 delivers the commands to the malware that order it to download and run modules in the form of DLL or PE files, shellcode, or command-line commands.

Cofense has further cautioned that PikaBot and DarkGarw campaigns are being conducted by threat actors who are conversant with what they are doing and that their capabilities are top-of-the-line. Thus, organizations must be thoroughly introduced to the TTPs for this phishing campaign.  

Emotet Malware: Shut Down Last Year, Now Showing a Strong Resurgence

 

The notorious Emotet malware operation is exhibiting a strong resurgence more than a year after being effectively shut down. Check Point researchers put the Windows software nasty at the top of their list as the most commonly deployed malware in a March threat index, threatening or infecting as many as 10% of organisations around the world during the month – an almost unbelievable figure, and more than double that of February. 

Now, according to Kaspersky Labs, a swiftly accelerating and sophisticated spam email campaign is intriguing targets with fraudulent emails designed to swindle them into unpacking and installing Emotet or Qbot malware, which can steal data, collect information on a compromised corporate network, and move laterally through the network to install ransomware or other trojans on networked computers. 

Qbot, which is associated with Emotet's operators, is also capable of accessing and stealing emails. In a blog post this week, Kaspersky's email threats protection group manager, Andrey Kovtun, stated. In February, Kaspersky discovered 3,000 malicious Emotet-linked emails, followed by 30,000 a month later, in languages including English, French, Italian, Polish, Russian, and Spanish. 

Kovtun wrote, "Some letters that cybercriminals send to the recipients contain a malicious attachment. In other cases, it has a link which leads to a file placed in a legitimate popular cloud-hosting service. Often, malware is contained in an encrypted archive, with the password mentioned in the e-mail body." 

The spam email often claims to include essential information, such as a commercial offer, in order to persuade the recipient to open the attachment or download the harmful file via the link. "Our experts have concluded that these e-mails are being distributed as part of a coordinated campaign that aims to spread banking Trojans," he wrote further. 

Cryptolaemus, a group of security researchers and system administrators formed more than two years ago to combat Emotet, announced on Twitter this week that one of the botnet subgroups has switched from 32-bit to 64-bit for loaders and stealer modules, indicating the botnet's operators' continued development. Emotet immediately resurfaced in the malware world's upper echelons. Europol, along with police departments from the United States, Germany, the United Kingdom, and Ukraine, completed a multinational takedown of the primary botnet deploying Emotet in February 2021. Raids on the accused operators' houses in Ukraine were part of the operation. 

The raid, according to Europol, substantially impacted Emotet's operations, which were used to infiltrate thousands of firms and millions of computers around the world. However, in publishing its March threat index, Check Point Research stated that Emotet resurfaced in November 2021 and has gained traction after the Trickbot botnet infrastructure was shut down in February. It is once again the most common malware. 

The researchers wrote, "This was solidified even further [in March] as many aggressive email campaigns have been distributing the botnet, including various Easter-themed phishing scams exploiting the buzz of the festivities. These emails were sent to victims all over the world with one such example using the subject 'Buona Pasqua, happy easter,' yet attached to the email was a malicious XLS file to deliver Emotet." 

Qbot Malware: Steals Your Data In 30 Minutes

 

The large-scale spread of the Qbot malware (aka QuakBot or Qakbot) has taken up speed recently, as per the experts, it hardly takes around 30 minutes to steal Sensitive data after the early stage infiltration. The DFIR report suggests that Qbot was executing these fast data-stealing attacks in October 2021, and now it suggests that the hackers have resurfaced with similar strategies. Particularly, researchers believe that it takes around 30 minutes for the threat actors to steal browser info and emails from Outlook and around 50 minutes for the actors to switch to another workstation. 

The timeline suggests that Qbot travels fast to execute privilege escalation the moment an infection takes place, and a full-fledged monitoring scan can take up to ten minutes. Entry-level access to Qbot infections is generally obtained via phishing emails with harmful attacks, like Excel (XLS) documents that may use a macro to plant a DLL loader on the victim machine. Taking a look back, we have noticed that Qbot phishing campaigns use different infection file templates. If launched, the Qbot DLL payload is planted and deployed in genuine Windows applications to avoid detection, like Mobsync.exe or MSRA.exe. 

For instance, the DFIR report reveals that Qbot was planted into MSRA.exe and then creates a timelined task for privilege escalation. Besides this, Qbot DLL with the help of malware is added to Microsoft Defender's execution list, to avoid getting identified when planted into MSRA.exe. Qbot can steal mails in 30 minutes after the initial deployment, these mails are used in the future for phishing attacks. Experts observed that Qbot is also capable of stealing Windows credentials by dumping Local Security Authority Server Service (LSASS) process memory and stealing it from different browsers. 

The stolen credentials are later used for spreading the malware on other device networks laterally. The malware only took 50 minutes for dumping credentials after its execution. Bleeping Computer reports "Microsoft report from December 2021 captured the versatility of Qbot attacks, making it harder to evaluate the scope of its infections accurately. However, no matter how a Qbot infection unfolds precisely, it is essential to keep in mind that almost all begin with an email."

QBot Malware Replaces IcedID in Malspam Campaigns

 

QBot malware is making a comeback replacing IcedID in Malspam campaigns. Security researchers have noticed that malware distributors are once again rotating the payload, switching between Trojans which is an intermediary stage in a long transition chain. In one case, Tango appears to be with QBot and IcedID, two banking Trojans that are often seen delivering various ransomware strains as the final payload in an attack.

In February, IcedID was a new malware coming from URLs that served QBot. Brad Duncan of Palo Alto Networks spotted the changes and noted in his analysis at the time: “HTTPS URL ends with /ds/2202.gif, generated by Excel macro, which would normally distribute cacobet, but today it delivered IcedID”. 

James Quinn, a threat researcher at Binary Defense also makes the same observation in a blog post in March, as the company unearthed a new IcedID/BokBot variant while tracking a malicious spam campaign from a QakBot distributor.

IcedID was first discovered as a banking trojan in 2017 and soon adjusted its functionality for malware delivery. It has been seen in the past distributing Ransom eXX, Labyrinth, and Aggregor Ransomware. After a gap of about a month and a half, the malware distributor switched the payload back to QBot (aka QakBot), which has been seen in the past delivering ProLock, Egregor, and DoppelPaymer ransomware. 

Malware Researcher and Reverse Engineer reecDeep was the one that noticed the specific switch on Monday, concluding the fact that campaign update relies on XLM macros. Analysis from both binary defense and Brad Duncan on the switch of a malware distributor to deliver IcedID in February 2021 has seen the same trick.

Recently, security researchers at the threatening intelligence firm Intel 471 published details about Ettersilent creating a malicious document, which shows its continued development and ability to bypass multiple security mechanisms (Windows Defender, AMSI, email services). 

A feature of the tool is that it can design malicious documents that look like DocuSign or DigiCert-protected files that require user interaction for decryption. According to Intel 471, many cybercriminal groups have started using Ettersilent services including IcedID, QakBot, Ursnif, and Trickbot.