The Return of the Notorious Qakbot Threat Campaign

Previous tactics from the dismantled QakBot Trojan now fuel wide-ranging phishing campaigns

Originally published by Skyhigh Security.

Written by Rodman Ramezanian, Global Cloud Threat Lead, Skyhigh Security.

Remember the QakBot cyberthreat (otherwise known as Qbot or Pinkslipbot)? This threat was shut down as part of a coordinated law enforcement effort in August 2023—and it’s making a comeback!

Bad actors are using its old tricks in a new phishing campaign targeting a variety of industries. They’re sending deceptive emails that look like ongoing conversations and contain dangerous links. Clicking on these links leads to a file that can install malware like DarkGate or PikaBot on your system. (Figure 1)

Once infected, these malicious programs can do serious harm. They often hold your data for ransom or leverage sneaky cryptomining malware that uses a device’s computing resources to mine cryptocurrencies. Attackers gain control over your systems with the intent to steal information or perform other harmful actions. The connections established by the threat actors are bidirectional: attackers can send commands and receive response in real time, enabling them to explore the victim’s system(s), steal data, and carry out other harmful actions.

PikaBot, a sophisticated new malware variant based on QakBot, is particularly tricky to analyze and gives attackers more control.

DarkGate, first discovered back in 2017, has also resurfaced. It became available more widely in hacker communities in 2023, leading to a sharp increase in its use and distribution. This malware strain takes advantage of Microsoft Teams messages to spread harmful attachments that install the DarkGate malware. Researchers have noticed phishing messages within Microsoft Teams, stemming from two compromised external Microsoft 365 accounts. These accounts were utilized to mislead Microsoft Teams users in different organizations, prompting them to download a ZIP file named “Changes to the vacation schedule.” Clicking on this attachment triggered the download process from a SharePoint URL, concealing an LNK file as a PDF document.

Why do these incidents occur?

DarkGate and PikaBot are versatile malware strains that don’t specifically target one industry, so they pose a threat across various sectors. DarkGate and PikaBot aim to infiltrate systems indiscriminately, seeking vulnerabilities to exploit. Their modular nature enables attackers to perform activities like data theft, remote access, cryptocurrency mining, and other malicious actions across a broad spectrum of industries. Their adaptability allows hackers to use them in diverse cyberattacks, potentially affecting industries such as finance, healthcare, education, government, manufacturing, and others. Therefore, all sectors need robust cybersecurity measures to protect against these evolving threats.

Phishing is a highly successful initial access broker for DarkGate and PikaBot malware operators. When the victim succumbs to clicking on the phishing link in an email, this acts as the pivotal gateway for threat actors to gain access. These techniques continue to be effective for attackers for several reasons:

1. Deceptive techniques: These malware strains often employ sophisticated phishing tactics, such as sending emails that appear legitimate or even mimic ongoing conversations, tricking users into trusting the content.
2. Exploiting human vulnerabilities: Phishing relies on human emotions, like curiosity or urgency, to prompt action. The emails lure recipients into clicking on links or downloading attachments by posing as urgent or important messages.
3. Social engineering: This technique manipulates users’ trust in familiar platforms or individuals, making it harder to recognize malicious intent.
   Diverse attack vectors: These malware strains utilize various entry points, such as email attachments or links, exploiting vulnerabilities in systems or software. This multipronged approach increases the chances of success.
4. Adaptability: QakBot, DarkGate, and PikaBot constantly evolve, adapting their phishing strategies to bypass security measures, which makes them harder to detect and mitigate.
5. Automated Distribution: These threats can spread rapidly, leveraging automated systems to send out phishing emails on a large scale, increasing the probability of someone falling victim to their tactics.

What can be done?

User awareness and education can be extremely effective in thwarting phishing attacks like these, since threat actors are largely relying on that first click to open the doors for them.

The reality is, however, that human vulnerabilities coupled with deceptive tactics on the part of threat actors tend to lead to that URL link being clicked on. Phishing tactics are continuously evolving and becoming more sophisticated. Attackers employ various tactics like social engineering to create convincing replicas of legitimate emails, making it harder for traditional security measures to differentiate.

For this reason, remote browser isolation (RBI) is effective against phishing attacks that involve clicking on URLs because it executes browsing sessions away from the local device, isolating potential threats within a controlled environment. Here’s why it is effective:

1. Isolates execution: When a user clicks on a URL, the browsing session takes place in a remote environment. This prevents any potential malware or threats from reaching the user’s device directly, as the browsing activity is separated from the local system.
2. Limits exposure: By isolating the browsing session—even if the URL leads to a malicious site—any malware or harmful content encountered remains isolated within the remote environment. It doesn’t have direct access to the user’s device or network.
3. Prevents device infection: Since the browsing occurs in an isolated environment, any malware encountered during the browsing session doesn’t have an opportunity to infect the user’s device or compromise sensitive data.
4. Reduces the attack surface: Remote browser isolation minimizes the attack surface by ensuring that potentially dangerous web content is never loaded onto the user’s device, mitigating the risks associated with phishing URLs.
5. Enhances security posture: It adds an extra layer of security by separating the user’s interaction with potentially risky web content from the local device and network, reducing the chances of successful phishing attacks.