Successors of the Qakbot malware arose despite the disruption of the Qakbot infrastructure due to an international law enforcement operation led by the FBI in August 2023.
Cofense, a provider of phishing detection solution, has observed new phishing campaigns that use the same infection tactics that would implement Qakbot. However, these recent campaigns deliver two new malware families, Darkgate and Pikabot.
One phishing campaign began to distribute Darkgate -Malware in September and has grown into one of the most advanced phishing campaigns active in the threat landscape, according to a report from Cofense. The campaign has evolved to use evasive tactics and anti-analysis techniques to continue to distribute Darkgate and, more recently, Pikabot.
Typical qakbot tactics observed in the Darkgate and Pikabot campaigns included:
- Hijacked e -mailthreads as the first infection
- URLs with unique patterns that limit user access
- An infection chain that is almost identical to Qakbot delivery
Cofense researchers believe that some earlier Qakbot users have shifted to the use of Darkgate and/or Pikabot.
Some of these campaigns are undoubtedly a high -level threat[s] Because of the tactics, techniques and procedures (TTPs) with which the phishing -e -mails can achieve the intended goals, as well as the advanced possibilities of the malware that is supplied, “the report added.
Most campaigns after the Qakbot Takbot include different infection chains.
“Almost as if the threat actors were testing different malware delivery options,” said Cofense.
However, the most used infection chain shows many similarities with some Qakbot campaigns that were performed in May 2023.
“The campaign starts with a hijacked e -mailthread to ace to communicate with a URL that has added layers that only limit access to the malignant charge to users who meet specific requirements set by the threat factors (location and internet browser),” Cofense researchers outlined.
“This URL downloads a ZIP archive that contains a JS file that is a JS -Dropper, a JavaScript application that is used to reach another URL to download and perform malware. In this stage a user is successfully infected with the Darkgate or Pikabot Malware.”
Some of these newly observed campaigns spread a large number of e -mails to a wide range of industries, which means that goals run the risk of more advanced threats such as reconnaissance malware and ransomware.
Read more: FBI-conducted Operation Duck Hunt shakes Qakbot Malware
What are the malware families from Darkgate and Pikabot?
Darkgate and Pikabot are both considered as advanced malware with characters and anti-analysis behavior.
Darkgate is a versatile malware tool set, usually distributed via spam -e -mail attachments or malignant links, which has been active since 2017. It is equipped with various options, including data stems, cryptocurrency -mining and remote control of infected systems.
Once installed, DarkGate can steal a variety of sensitive information, including passwords, credit card numbers and personal documents. It can also be mine for cryptocurrency, which can use the victim’s computer sources to generate money for the attackers.
In addition, DarkGate can enable attackers to drive the infected system remotely, which can be used to install other malware, steal data or start attacking on other systems.
Pikabot is a new malware family for the first time observed in 2023. It is classified as a charger because of its ability to deliver extra malware -payloads. It contains various evasive techniques to prevent sandboxes, virtual machines and other error detection techniques.
Pikabot is usually spread by phishing attacks or by exploiting vulnerabilities in software. Once installed, Pikabot can be driven remotely by attackers.
It has been observed that the infectious machines excludes the Commonwealth of the countries of Independent States (CIS) – all members of the former Soviet Union.
How is the infrastructure of Qakbot brought down?
In August, the FBI Operation Duck Hunt led a multinational law enforcement operation that reportedly dismantled Qakbot.
To do this, the FBI gained access to the managers of Qakbot, who helped the law enforcement instruction when mapping the server infrastructure used in the operation of the botnet. Then it seized 52 servers, of which it would permanently ‘dismantle’ the Botnet and the traffic of Qakbot would be forwarded by the desk by the desk, so that victims can download a removal capacity.
In an additional announcement, the US Department of Justice (DOJ) said that the FBI had identified more than 700,000 infected computers worldwide, including more than 200,000 in the US.
The DOJ also announced that it took more than $ 8.6 million in the Cryptocurrency of the Qakbot Cybercriminal Organization. This money is returned to the victims.
While the cyber security community has generally praised Operation Duck Hunt, the voices doubted the actual impact of the Takedown.
The possibility that threat actors would move to use other malware families to use the same type of malignant campaigns was one of the criticism of the effectiveness of such an operation.
Read more: FBI’s Qakbot Takedown raises questions: ‘Dischaired’ or just a temporary setback?