The PikaBot malware has been added to the already complicated phishing campaign that is transmitting the darkGate malware infections, making it the most sophisticated campaign since the Qakbot operation was taken down.

The phishing email campaign began in September 2023, right after the FBI took down the Qbot (Qakbot) infrastructure. 

In a report recently published by Cofense, researchers explain that the DarkGate and Pikabot operations employ strategies and methods that are reminiscent of earlier Qakbot attacks, suggesting that the threat actors behind Qbot have now shifted to more recent malware botnets.

"This campaign is undoubtedly a high-level threat due to the tactics, techniques, and procedures (TTPs) that enable the phishing emails to reach intended targets as well as the advanced capabilities of the malware being delivered," the report reads. 

This presents a serious risk to the organization because DarkGate and Pikabot are modular malware loaders that have many of the same features as Qbot, and Qbot was one of the most widely used malware botnets that were spread by malicious email.

Threat actors would likely utilize the new malware loaders, like Qbot, to get initial access to networks and carry out ransomware, espionage, and data theft assaults.

The DarkGate and Pikabot Campaign

Earlier this year, there had been a dramatic surge in malicious emails promoting the DarkGate ransomware. Starting in October 2023, threat actors have begun using Pikabot as the main payload.

This phishing attack takes place by sending an email – that is a reply or forward of a stolen discussion threat – to the targeted victims, who trust the fraudulent communications. 

After clicking on the embedded URL, users are prompted to download a ZIP file containing a malware dropper that retrieves the final payload from a remote location. These tests ensure that the users are legitimate targets.

According to Cofense, the attackers tested a number of early malware droppers to see which one worked best, including:

• JavaScript dropper for downloading and executing PEs or DLLs. 
• Excel-DNA loader based on an open-source project used in developing XLL files, exploited here for installing and running malware. 
• VBS (Virtual Basic Script) downloaders that can execute malware via .vbs files in Microsoft Office documents or invoke command-line executables. 
• LNK downloaders that exploit Microsoft shortcut files (.lnk) to download and execute malware.
• As of September 2023, the DarkGate malware served as the ultimate payload for these attacks. In October 2023, PikaBot took its place.

DarkGate and PikaBot

DarkGate first came to light in 2017, however only became available to the threat actors past summer. As a result, its contribution to conducting phishing attacks and malvertising increases.

This sophisticated modular malware may perform a wide range of malicious actions, such as keylogging, bitcoin mining, reverse shelling, hVNC remote access, clipboard theft, and information (files, browser data) theft.

PikaBot, on the other hand, was discovered much recently in 2023. It consists of a loader and a core module, slotting in extensive anti-debugging, anti-VM, and anti-emulation mechanisms.

The malware profiles targeted systems and transfers the data to its command and control (C2) infrastructure, awaiting additional instructions.

The C2 delivers the commands to the malware that order it to download and run modules in the form of DLL or PE files, shellcode, or command-line commands.

Cofense has further cautioned that PikaBot and DarkGarw campaigns are being conducted by threat actors who are conversant with what they are doing and that their capabilities are top-of-the-line. Thus, organizations must be thoroughly introduced to the TTPs for this phishing campaign.