The operators behind a phishing campaign that is distributing the DarkGate and PikaBot malware is using many of the techniques attributed to the notorious QakBot operation that was taken down by law enforcement agencies in August.

While not ready to attribute the latest campaign to the threat actors behind QakBot, threat intelligence researchers at cybersecurity firm Cofense outlined a number of similarities between the DarkGate and more recent PikaBot tactics and those used by QakBot affiliates.

“These include hijacked email threads as the initial infection, URLs with unique patterns that limit user access, and an infection chain nearly identical to what we have seen with QakBot delivery,” Dylan Duncan, cyberthreat intelligence analyst with Cofense, wrote in a report. “The malware families used also follow suit to what we would expect QakBot affiliates to use. Along with many other capabilities, both malware families can act as loaders with the ability to add additional malicious payloads to unknown infected machines.”

In addition, the DarkGate campaign cranked up its activity a month after the raid on QakBot “and follows the same trends used by the infamous threat actors that deploy the QakBot malware and botnet. This campaign disseminates a high volume of emails to a wide range of industries, and due to the loader capabilities of the malware delivered, targets can be at risk of more sophisticated threats like reconnaissance malware and ransomware,” he wrote.

Law Enforcement Takedown

On August 29, the FBI and Justice Department said that a multinational operation that included law enforcement agencies in France, Germany, the Netherlands, Romania, Latvia, and the UK took down QakBot’s infrastructure, finding that more than 700,000 computers worldwide – including more than 200,000 in the United States – were infected by the botnet.

The agencies also deleted the Qakbot code from the infected systems and seized more than $8.6 million in cryptocurrency they said was collected through the group’s nefarious operations. In all, the QakBot group caused hundreds of millions of dollars in damage, the FBI said.

The Qakbot operators may not have completely disappeared. Cisco’s Talos threat intelligence group said in October that a campaign that kicked off in early August, before the law enforcement takedown, was using phishing attacks to distribute the Ransom Knight ransomware and Remcos remote access trojan (RAT) and that the campaign had continued after the raid on the infrastructure.

That said, Qakbot for the most part has gone quiet since late August. However, as Cofense’s Duncan noted, many of its tactics are now being used in new phishing campaigns. The cybersecurity vendor last reported on Qakbot toward the end of June and a month later, DarkGate began emerging.

Qakbot Falls, DarkGate Rises

There was a significant jump in DarkGate activity in September, and a month later the DarkGate operation switched to PikaBot, according to the report.

Duncan called the DarkGate and PikaBot campaign a “high-level threat” given the tactics used to get the phishing emails to reach its targets and the advanced capabilities of the malware that it delivers. There have been a number of different infection chains, indicating that the bad actors were testing various options for delivering malware.

Other threat intelligence teams also took note of DarkGate. MalwareBytes in September wrote that threat actors were using Microsoft Teams to deliver DarkGate malware. Researchers at Trend Micro in October noted a DarkGate campaign that was abusing collaboration platforms like Skype and Teams to deliver malicious code. Earlier this month, Netskope’s Threat Labs unit found a DarkGate variant being delivered through MSI that used a new loading tactic based on a default shellcode stub on Cobalt Strike Beacons.

A Favored Infection Chain

Duncan focused on an infection chain seemingly favored by the operators that is in line with what Qakbot was doing during campaigns in May. It started with a hijacked email threat to entice victims to click on a URL (which is similar to what was seen in Qakbot campaigns) that only gives access to the malicious payload to users that meet specific requirements in terms of location and browser.

Clicking on the URL leads to a ZIP archive a JavaScript-based JS Dropper that connects to another URL, which downloads and runs the malware. Both DarkGate (first seen in 2019) and PikaBot (new this year) can deliver other payloads once on a compromised system, including crypto-mining, ransomware, and reconnaissance tools.

DarkGate and PikaBot also use tactics designed to evade detection and to disrupt attempts to analyze them. In addition, while JS Droppers are the primary method for delivering the malware, the operators behind DarkGate and PikaBot also have been seen using other infection chains, including an Excel-DNA loader and VBS and LNK downloaders.

Organizations need to pay attention to the cybercriminals operating DarkGate and PikaBot, Duncan wrote.

“This campaign is advanced, well-crafted, and has already evolved since it was first seen in the wild,” he wrote. “The threat actors behind the campaign maintain skills beyond the average phisher, and employees should be aware that this type of threat exists.”