Despite the disruption to the QakBot malware infrastructure by an international law enforcement operation led by the FBI in August 2023, successors to the notorious malware have emerged. Cofense, a phishing detection solution provider, has identified new phishing campaigns that exhibit similar infection tactics to QakBot but deliver two new malware families: DarkGate and PikaBot.
One particularly advanced phishing campaign that started spreading DarkGate malware in September has become one of the most sophisticated active threats in the cybersecurity landscape, according to a report by Cofense. This campaign has evolved to employ evasive tactics and anti-analysis techniques to distribute DarkGate and, more recently, PikaBot.
The DarkGate and PikaBot campaigns have adopted typical QakBot tactics, such as hijacked email threads as the initial infection vector, URLs with unique patterns to restrict user access, and an infection chain closely resembling QakBot’s delivery method. Cofense researchers suspect that some former QakBot users have transitioned to using DarkGate and/or PikaBot.
These post-QakBot takedown campaigns are considered high-level threats due to their sophisticated tactics, techniques, and procedures (TTPs) that enable phishing emails to reach their intended targets and the advanced capabilities of the malware being distributed. While most campaigns involve different infection chains, some show similarities to QakBot campaigns from earlier in 2023.
Some of the newly observed campaigns have targeted a wide range of industries with a high volume of emails, posing a significant risk of more advanced threats like reconnaissance malware and ransomware to their targets.
DarkGate and PikaBot are both classified as advanced malware with loader capabilities and anti-analysis features. DarkGate, which has been active since 2017, is a versatile toolset distributed through spam email attachments or malicious links. It can steal sensitive information, mine cryptocurrency using infected machines, and enable remote control of compromised systems.
PikaBot, a newer malware family first detected in 2023, is also a loader that delivers additional malware payloads. It employs various evasion techniques to avoid detection in sandboxes, virtual machines, and other debugging environments. PikaBot is typically spread through phishing attacks or exploiting software vulnerabilities and allows attackers remote control over infected systems.
The takedown of QakBot’s infrastructure in Operation Duck Hunt led by the FBI involved seizing 52 servers to dismantle the botnet and redirecting QakBot’s traffic to servers controlled by the Bureau. The operation also resulted in the identification of over 700,000 infected computers worldwide, with over 200,000 in the US, and the seizure of over $8.6 million in cryptocurrency from the cybercriminal organization behind QakBot.
While Operation Duck Hunt was generally praised by the cybersecurity community, concerns were raised about the potential for threat actors to pivot to other malware families like DarkGate and PikaBot to continue their malicious campaigns. The long-term impact of the takedown remains a topic of debate within the cybersecurity community.