A malware phishing campaign has been running since September 2023 that is distributing DarkGate malware. Now, the threat actor behind the campaign has switched to PikaBot malware, and the campaign has several similarities to those conducted by the threat actor behind Qakbot.

DarkGate malware was first detected in 2017 but was only offered to other cybercrime groups this summer. Since then, distribution of the malware has increased significantly, with phishing emails and malvertising – malicious adverts – the most common methods of delivery. DarkGate malware is a multi-purpose Windows malware with a range of capabilities, including information stealing, malware loading, and remote access. In September, security researchers at Cofense identified a malware phishing campaign that was spreading DarkGate malware that has since evolved into one of the most advanced active phishing campaigns making it clear that it is being conducted by an experienced threat group. Then in October 2023, the threat actor behind the campaign switched to distributing Pikabot malware. Pikabot malware was first detected in early 2023 and functions as a downloader/installer, loader, and backdoor.

Security researchers have analyzed the malware phishing campaign and have identified several similarities to those used to distribute Qakbot (Qbot) malware including the behavior of the malware upon infection, the method of distribution, as well as internal campaign identifiers. Qakbot was one of the most active malware botnets; however, in August this year, an international law enforcement operation headed by the U.S. Department of Justice successfully took down the infrastructure of Qakbot.

The emergence of the phishing DarkGate/Pikabot campaign around a month after the Qakbot takedown, the use of a similar campaign that was used to distribute Qakbot, and no detected Qakbot activity since the takedown has led security researchers to believe the operators of Qakbot have switched to distributing DarkGate/Pikabot. Both of those malware families have similar capabilities to Qakbot and that could indicate the Qakbot operators have switched to newer malware botnets. As was the case with Qakbot, the new malware variants provide the threat actor with initial access to networks and it is probable that attacks will result in data theft and potentially the use of ransomware. Given the pervasive nature of Qakbot, if the same threat actors are behind the latest DarkGate/Pikabot campaign it poses a significant threat to businesses. The phishing campaign starts with an email that forwards or replies to a stolen message thread. Since the message threat contains genuine previous conversations there is a much higher probability of the recipient responding to the message. The emails contain an embedded URL that directs the user to a.ZIP archive that contains a malware dropper, which delivers the final DarkGate or Pikabot payload.

The phishing campaign continues to evolve and it is the work of a very experienced threat actor. One of the best defenses against these attacks is security awareness training. Employees should be warned of the tactics that are being used to distribute the malware and should be instructed to be vigilant, especially requests received via email that appear to be responses to previous communications that prompt them to visit a website and download a compressed file. They should be instructed to report any such email to their security teams for analysis.

With SafeTitan, TitanHQ’s security awareness training platform, it is easy to incorporate the latest threat intelligence into training content and push out short training sessions to employees to raise awareness of the latest malware phishing campaigns. SafeTitan also includes a phishing simulator that allows custom simulated phishing emails to be sent out to the workforce, including simulated phishing emails that include the tactics used in the DarkGate/Pikabot campaign. Security teams can use the simulator to determine how employees react and can then take proactive steps to address any knowledge gaps before a real DarkGate/Pikabot phishing email lands in an inbox.

Anti-Phishing Demo
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo

An advanced spam filter should also be implemented that is capable of scanning and following links in emails along with a WebFilter for blocking access to malicious websites and restricting file downloads from the Internet, such as TitanHQ’s SpamTitan Plus and WebTitan DNS filter. For more information on the SafeTitan security awareness training and phishing simulation platform, advanced spam filtering with SpamTitan Plus, and web filtering with WebTitan, call TitanHQ today. All TitanHQ solutions are also available on a free trial.