The DarkGate and PikaBot malware programs are distributed by cybercriminals using the same methods as the attacks using the QakBot Trojan, which was eliminated in August. This was announced by Cofense in its report.
The QakBot platform (QBot, Pinkslipbot), was eliminated during a joint law enforcement operation codenamed Duck Hunt in August of this year. Qakbot infected more than 700,000 victims computers, contributed to the spread of ransomware viruses, and caused hundreds of millions of dollars in damage to businesses, healthcare facilities, and government agencies around the world.
DarkGate and PikaBot are capable of delivering additional loads to infected hosts, which makes them attractive to attackers. The similarity between PikaBot and QakBot was noted by analysts based on the same distribution methods, campaign, and malware behavior.
The DarkGate malware supports a wide range of malicious actions, including installing an hVNC connection for remote access, cryptocurrency mining, Reverse Shell configuration, keylogging, clipboard hijacking, and stealing information (files, browser data).
The Cofense report notes that the connection is bidirectional, meaning attackers can send commands and receive responses in real-time, allowing them to navigate through the victim's system, siphon data, or perform other malicious actions.
Analysis of the Cofense phishing campaign showed that it is aimed at a wide range of sectors, and the attack chains include a malicious URL in phishing emails leading to a ZIP archive. The ZIP archive contains a JavaScript loader, which in turn accesses the second URL to download and run the DarkGate or PikaBot malware. It is noteworthy that in one case, the attack used Excel add-in files (XLL) instead of JavaScript loaders to deliver final loads.
Successful infection of DarkGate or PikaBot can lead to the delivery of software to steal cryptocurrency, install tracking tools, ransomware, or any other malicious file that attackers want to install on the victim's machine.
The DarkGate malware supports a wide range of malicious activities from remote access to data theft. In June, security researchers discovered a new MalSpam phishing campaign that infected victims devices with DarkGate.According to Telekom Security experts, the sudden surge in DarkGate activity may be due to the fact that the malware developer began renting it out to a limited circle of affiliates. Prices for a DarkGate subscription start at $1,000 per day and go up to $100,000 per year.
Earlier, Kaspersky Lab revealed a global campaign to distribute the PikaBot malware among corporate users. The attack began in mid-May and peaked between the 15th and 18th. During this period, about 5 thousand such emails were found. PikaBot is a new malware family that shares similarities with the well-known banking Trojan Qbot. PikaBot can install other malware on infected devices or execute remote commands.
• Source: https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/
The QakBot platform (QBot, Pinkslipbot), was eliminated during a joint law enforcement operation codenamed Duck Hunt in August of this year. Qakbot infected more than 700,000 victims computers, contributed to the spread of ransomware viruses, and caused hundreds of millions of dollars in damage to businesses, healthcare facilities, and government agencies around the world.
DarkGate and PikaBot are capable of delivering additional loads to infected hosts, which makes them attractive to attackers. The similarity between PikaBot and QakBot was noted by analysts based on the same distribution methods, campaign, and malware behavior.
The DarkGate malware supports a wide range of malicious actions, including installing an hVNC connection for remote access, cryptocurrency mining, Reverse Shell configuration, keylogging, clipboard hijacking, and stealing information (files, browser data).
The Cofense report notes that the connection is bidirectional, meaning attackers can send commands and receive responses in real-time, allowing them to navigate through the victim's system, siphon data, or perform other malicious actions.
Analysis of the Cofense phishing campaign showed that it is aimed at a wide range of sectors, and the attack chains include a malicious URL in phishing emails leading to a ZIP archive. The ZIP archive contains a JavaScript loader, which in turn accesses the second URL to download and run the DarkGate or PikaBot malware. It is noteworthy that in one case, the attack used Excel add-in files (XLL) instead of JavaScript loaders to deliver final loads.
Successful infection of DarkGate or PikaBot can lead to the delivery of software to steal cryptocurrency, install tracking tools, ransomware, or any other malicious file that attackers want to install on the victim's machine.
The DarkGate malware supports a wide range of malicious activities from remote access to data theft. In June, security researchers discovered a new MalSpam phishing campaign that infected victims devices with DarkGate.According to Telekom Security experts, the sudden surge in DarkGate activity may be due to the fact that the malware developer began renting it out to a limited circle of affiliates. Prices for a DarkGate subscription start at $1,000 per day and go up to $100,000 per year.
Earlier, Kaspersky Lab revealed a global campaign to distribute the PikaBot malware among corporate users. The attack began in mid-May and peaked between the 15th and 18th. During this period, about 5 thousand such emails were found. PikaBot is a new malware family that shares similarities with the well-known banking Trojan Qbot. PikaBot can install other malware on infected devices or execute remote commands.
• Source: https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/
