DarkGate and Pikabot Copy the QakBot Malware

DarkGate and PikaBot May be the New QakBot
Recent behavior of DarkGate and PikaBot makes analysts think about them being a return of QakBot

According to researchers, the phishing campaign promoting the DarkGate and PikaBot malware is carried out by the authors or successors of the QBot Trojan (aka QakBot). Information security specialists believe that this is currently the most complex phishing campaign that has appeared since the liquidation of QBot.

Is Pikabot A New QakBot?

In its report, Cofense said that DarkGate and Pikabot’s tactics and methods are similar to previous QakBot (aka Qbot) campaigns. That is, it seems that Qbot operators simply switched to using new botnets and malware. Researchers write that QBot was one of the largest botnets. The spread of QBot was associated with email, and DarkGate and Pikabot are modular malware downloaders that have the same functions as QBot.

The similarity of the campaigns can be concluded based on the intercepted email flows as the initial infection. Also on URLs with unique patterns that limit user access, and the chain of infections is almost identical to the one we saw with the QakBot delivery. The malware families used also correspond to what can be called the QakBot legacy.Cofense experts explain.

Similarly to QBot, hackers use the new downloaders to gain initial access to victims’ networks. Then they carry out ransomware attacks, espionage and data theft. Interestingly, some cybersecurity experts predicted the possible return of malware.

Features of the phishing campaign of the QBot heirs

According to Cofense, this summer the number of malicious emails spreading DarkGate increased significantly. In October 2023, attackers switched to using Pikabot as their main payload. These phishing attacks begin with emails that appear to be a reply or forward related to a previously stolen discussion. This makes it more likely that recipients will view the message with more confidence.

Users who click on a URL from such an email go through a series of checks and are then prompted to download a ZIP archive. This archive contains a dropper that retrieves the final payload from a remote source.

Distribution of DarkGate and PikaBot
Example of a malicious email

The researchers note that the attackers experimented with several droppers to determine which one worked best, including:

  • JavaScript dropper for loading and executing PE or DLL;
  • Excel-DNA loader, based on an open-source project used to create XLL files. In this case it is used to download and run malware;
  • VBS loaders, which can execute malware via .vbs files in Microsoft Office documents or launch command line executables;
  • LNK downloaders, which use .lnk files to download and execute malware.

The final payload used in these attacks until September 2023 was DarkGate, which was replaced by PikaBot in October 2023.

How dangerous are DarkGate and PikaBot?

DarkGate is a modular malware that supports various types of malicious behavior. Its first appearance happened back in 2017, but it became available to masses only in the summer of 2023. This, eventually, ended up with a sharp increase in its distribution. Among key feautures, DarkGate boasts hVNC remote access, cryptocurrency mining and reverse shell creation. It allows for keylogging, stealing data from an infected machine.

In turn, PikaBot is a newer malware that first appeared in early 2023 and consists of a loader and a main module, with mechanisms to protect against debugging, VMs, and emulations. On the infected machine, it creates a system profile and sends the collected data to the control server, awaiting further instructions. In response, the server sends commands to load and execute modules in the form of DLL or PE files, shellcode or command line commands. All this makes PikaBot a universal tool.

What is QakBot notorious for?

QakBot, active since 2008, was originally a banking Trojan. But it has evolved over time into a powerful malware downloader capable of deploying additional payloads, stealing information, and enabling lateral movement. Qbot’s malicious campaigns are most likely linked to Russian hackers and they are constantly improving their malware distribution methods.

In 2020 the Qbot Trojan first entered the list of the most widespread malware in the world. And since then, the malware had continiously hit the newsletters for the next 3 years. Among its most noticeable attack vectors is the adoption of 0-day vulnerability in Windows MSDT called Follina.

However, the FBI, in collaboration with a number of international law enforcement organizations, conducted Operation Duck Hunt, which resulted in the destruction of the QBot (QakBot) infrastructure in August 2023.

The FBI managed to penetrate the lair of a cybercriminal group and take possession of the computer of one of its leaders. After this through the gaming platform of QBot FBI sent out a botnet destruction program to the affected devices. After which the malware was removed from more than 700 thousand infected devices around the world. But, as we see, the legacy of the botnet QBot lives on.

DarkGate and Pikabot Copy the QakBot Malware

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *