Skip to main content
INTELLIGENCE DIGEST

The Return of the Notorious Qakbot Threat Campaign

Previous tactics from the dismantled QakBot Trojan now fuel wide-ranging phishing campaigns

December 13, 2023

By Rodman Ramezanian - Global Cloud Threat Lead

Remember the QakBot cyberthreat (otherwise known as Qbot or Pinkslipbot)? This threat was shut down as part of a coordinated law enforcement effort in August 2023—and it’s making a comeback!

Bad actors are using its old tricks in a new phishing campaign targeting a variety of industries. They’re sending deceptive emails that look like ongoing conversations and contain dangerous links. Clicking on these links leads to a file that can install malware like DarkGate or PikaBot on your system. (Figure 1)

Once infected, these malicious programs can do serious harm. They often hold your data for ransom or leverage sneaky cryptomining malware that uses a device’s computing resources to mine cryptocurrencies. Attackers gain control over your systems with the intent to steal information or perform other harmful actions. The connections established by the threat actors are bidirectional: attackers can send commands and receive response in real time, enabling them to explore the victim’s system(s), steal data, and carry out other harmful actions.

PikaBot, a sophisticated new malware variant based on QakBot, is particularly tricky to analyze and gives attackers more control.

DarkGate, first discovered back in 2017, has also resurfaced. It became available more widely in hacker communities in 2023, leading to a sharp increase in its use and distribution. This malware strain takes advantage of Microsoft Teams messages to spread harmful attachments that install the DarkGate malware. Researchers have noticed phishing messages within Microsoft Teams, stemming from two compromised external Microsoft 365 accounts. These accounts were utilized to mislead Microsoft Teams users in different organizations, prompting them to download a ZIP file named “Changes to the vacation schedule.” Clicking on this attachment triggered the download process from a SharePoint URL, concealing an LNK file as a PDF document.

Why do these incidents occur?

DarkGate and PikaBot are versatile malware strains that don’t specifically target one industry, so they pose a threat across various sectors. DarkGate and PikaBot aim to infiltrate systems indiscriminately, seeking vulnerabilities to exploit. Their modular nature enables attackers to perform activities like data theft, remote access, cryptocurrency mining, and other malicious actions across a broad spectrum of industries. Their adaptability allows hackers to use them in diverse cyberattacks, potentially affecting industries such as finance, healthcare, education, government, manufacturing, and others. Therefore, all sectors need robust cybersecurity measures to protect against these evolving threats.

Phishing is a highly successful initial access broker for DarkGate and PikaBot malware operators. When the victim succumbs to clicking on the phishing link in an email, this acts as the pivotal gateway for threat actors to gain access. These techniques continue to be effective for attackers for several reasons:

  1. Deceptive techniques: These malware strains often employ sophisticated phishing tactics, such as sending emails that appear legitimate or even mimic ongoing conversations, tricking users into trusting the content.
  2. Exploiting human vulnerabilities: Phishing relies on human emotions, like curiosity or urgency, to prompt action. The emails lure recipients into clicking on links or downloading attachments by posing as urgent or important messages.
  3. Social engineering: This technique manipulates users’ trust in familiar platforms or individuals, making it harder to recognize malicious intent.
    Diverse attack vectors: These malware strains utilize various entry points, such as email attachments or links, exploiting vulnerabilities in systems or software. This multipronged approach increases the chances of success.
  4. Adaptability: QakBot, DarkGate, and PikaBot constantly evolve, adapting their phishing strategies to bypass security measures, which makes them harder to detect and mitigate.
  5. Automated Distribution: These threats can spread rapidly, leveraging automated systems to send out phishing emails on a large scale, increasing the probability of someone falling victim to their tactics.

What can be done?

User awareness and education can be extremely effective in thwarting phishing attacks like these, since threat actors are largely relying on that first click to open the doors for them.

The reality is, however, that human vulnerabilities coupled with deceptive tactics on the part of threat actors tend to lead to that URL link being clicked on. Phishing tactics are continuously evolving and becoming more sophisticated. Attackers employ various tactics like social engineering to create convincing replicas of legitimate emails, making it harder for traditional security measures to differentiate.

For this reason, remote browser isolation (RBI) is effective against phishing attacks that involve clicking on URLs because it executes browsing sessions away from the local device, isolating potential threats within a controlled environment. Here’s why it is effective:

  1. Isolates execution: When a user clicks on a URL, the browsing session takes place in a remote environment. This prevents any potential malware or threats from reaching the user’s device directly, as the browsing activity is separated from the local system.
  2. Limits exposure: By isolating the browsing session—even if the URL leads to a malicious site—any malware or harmful content encountered remains isolated within the remote environment. It doesn’t have direct access to the user’s device or network.
  3. Prevents device infection: Since the browsing occurs in an isolated environment, any malware encountered during the browsing session doesn’t have an opportunity to infect the user’s device or compromise sensitive data.
  4. Reduces the attack surface: Remote browser isolation minimizes the attack surface by ensuring that potentially dangerous web content is never loaded onto the user’s device, mitigating the risks associated with phishing URLs.
  5. Enhances security posture: It adds an extra layer of security by separating the user’s interaction with potentially risky web content from the local device and network, reducing the chances of successful phishing attacks.

The Skyhigh Security Service Edge (SSE) portfolio includes Risky Web RBI by default. It protects users from risky websites by redirecting browsing requests to the RBI service. RBI technology integrates with the Skyhigh Security platform, providing robust protection against ransomware and phishing threats while simplifying the adoption of a zero trust architecture.

Additionally, the full RBI function, available separately, can direct specific traffic into RBI sessions, ensuring even stronger security measures. Skyhigh Security’s approach to RBI involves channeling web traffic through cloud proxies to isolate potentially risky browsing. This ensures comprehensive protection through data loss prevention (DLP) and anti-malware policies. When a user clicks on a phishing URL, it typically redirects the victim to a page where payloads are hosted to download the attacker’s files. This is why sufficient threat analysis is required to prevent initial device infection.

Skyhigh Security’s gateway anti-malware (GAM) engine employs proactive intent analysis to filter out real-time malicious web content without relying on signatures. It detects both executable and non-executable malicious content by simulating behavior, understanding behavior, and predicting code intent, effectively combating zero-day and targeted attacks. The engine also monitors client web access behaviors, identifying potentially unwanted programs (PUPs) and quarantining compromised workstations.

GAM is adept at code behavior detection across various formats, such as Microsoft Windows executables, JavaScript, Flash ActionScript, Java, ActiveX controls, and more. For instance, it can identify malicious intent in an obfuscated Visual Basic Script within a Word document and prevent the document from being downloaded.

While traditional signature-based and heuristic anti-malware engines are included, the core detection capabilities for unknown malware relies on GAM, which leverages machine learning and real-time emulation. It encompasses three heuristic capabilities:

  1. Static behavior heuristics to block suspicious behavior in new code samples.
  2. Structural heuristics that link modified malware variants to known malware families.
  3. Network behavior heuristics, which identify potentially infected client systems displaying suspicious internet access patterns.

Use Skyhigh Security?

Rodman Ramezanian

About the Author

Rodman Ramezanian

Global Cloud Threat Lead

With over 11 years’ worth of extensive cybersecurity industry experience, Rodman Ramezanian is an Enterprise Cloud Security Advisor, responsible for Technical Advisory, Enablement, Solution Design and Architecture at Skyhigh Security. In this role, Rodman primarily focuses on Australian Federal Government, Defense, and Enterprise organizations.

Rodman specializes in the areas of Adversarial Threat Intelligence, Cyber Crime, Data Protection, and Cloud Security. He is an Australian Signals Directorate (ASD)-endorsed IRAP Assessor – currently holding CISSP, CCSP, CISA, CDPSE, Microsoft Azure, and MITRE ATT&CK CTI certifications.

Candidly, Rodman has a strong passion for articulating complex matters in simple terms, helping the average person and new security professionals understand the what, why, and how of cybersecurity.

Attack Highlights

  • Threat actors kick off the attack by sending out phishing emails using compromised email conversations that appear to be a response or by forwarding of a stolen conversation, making recipients more likely to trust it and then luring them into clicking a malicious URL.
  • These stolen email messages are likely acquired through Microsoft ProxyLogon attacks (CVE-2021-26855). This vulnerability in the Microsoft Exchange Server enable attackers to dodge authentication and pretend to be administrators of the underlying account.
  • This URL has multiple layers, ensuring that only specific users meeting set criteria (like location and browser) can access the harmful software to verify they are valid targets.
  • Clicking the URL leads to downloading a ZIP file housing a JavaScript file known as a JavaScript Dropper. This is later used for downloading and executing infected portable executable (PE) files as well as malicious DLL files.
  • The JavaScript Dropper program connects to another URL to fetch and activate malware with the aid of Visual Basic Script (VBS) downloaders capable of running malware through .vbs files typically found in Microsoft Office documents or by initiating command-line programs, LNK downloaders that misuse Microsoft shortcut files (.lnk), and Excel DNA loaders used for creating XLL files for further exploitation tasks. An XLL file, typically used as a Microsoft Excel add-on for legitimate work purposes, is manipulated by threat actors. They’ve adjusted these add-ons to access specific locations and download harmful payloads.
  • At this point, the victim is successfully infected with either the DarkGate or PikaBot malware strains, enabling further harmful actions such as delivery and installation of advanced cryptomining software, reconnaissance tools, ransomware payloads, and more.