Following the takedown of the infamous Qakbot operation by the FBI, a new wave of sophisticated phishing campaigns has emerged, showcasing the DarkGate and Pikabot malware as successors to Qakbot’s legacy.
These campaigns, detailed in a recent report by Cofense, mirror Qakbot’s tactics, raising concerns about the shift in threat actors utilizing newer, more advanced malware botnets. DarkGate and Pikabot, similar to Qakbot, pose significant threats to enterprises, offering threat actors avenues for ransomware, espionage, and data theft.
The modus operandi involves a convincing phishing attack using stolen discussion threads, prompting recipients to click embedded URLs that lead to malware-infested ZIP archives. Initially leveraging DarkGate, the attackers shifted to Pikabot as their primary payload in October 2023.
DarkGate, which surfaced in 2017 but gained traction recently, boasts multifaceted malicious capabilities, including remote access, keylogging, and information theft. On the other hand, Pikabot, a newer entrant in 2023, exhibits sophisticated anti-detection measures and versatile command and control capabilities.
Cofense warns that these campaigns, orchestrated by adept threat actors, demand organizations to understand the tactics, techniques, and procedures (TTPs) employed to safeguard against these evolving threats.
Protecting against DarkGate and Pikabot requires a multifaceted approach. Educating staff about phishing tactics and emphasizing cautious email behavior minimizes the risk of malware infiltration. Deploying robust email security solutions capable of detecting and quarantining suspicious attachments or links is crucial.
Implementing multi-layered endpoint protection that includes behavior-based detection and regularly updating security patches safeguards systems against these evolving malware threats. Regularly reviewing and updating security protocols based on the latest threat intelligence helps stay ahead of emerging risks.