Phishing campaigns delivering malware families such as DarkGate and PikaBot are following the same tactics previously used in attacks leveraging the now-defunct QakBot trojan.
网络钓鱼活动传送的恶意软件家族,如DarkGate和PikaBot,正在采用先前利用已废弃的QakBot特洛伊木马的相同策略。
"These include hijacked email threads as the initial infection, URLs with unique patterns that limit user access, and an infection chain nearly identical to what we have seen with QakBot delivery," Cofense said in a report shared with The Hacker News.
"这些包括劫持的电子邮件线程作为初始感染,具有限制用户访问的唯一模式的URL,以及一个与QakBot传播几乎完全相同的感染链,"Cofense在与The Hacker News分享的一份报告中说。
"The malware families used also follow suit to what we would expect QakBot affiliates to use."
"所使用的恶意软件家族也符合我们预期QakBot联盟成员会使用的"。
QakBot, also called QBot and Pinkslipbot, was shut down as part of a coordinated law enforcement effort codenamed Operation Duck Hunt earlier this August.
QakBot,也称为QBot和Pinkslipbot,是在今年8月早些时候的一个名为Operation Duck Hunt的协调执法行动中关闭。
The use of DarkGate and PikaBot in these campaigns is not surprising as they can both act as conduits to deliver additional payloads to compromised hosts, making them both an attractive option for cybercriminals.
在这些活动中使用DarkGate和PikaBot并不令人意外,因为它们都可以作为传送附加负载至受感染主机的通道,使它们成为网络犯罪分子的吸引力选择。
PikaBot's parallels to QakBot were previously highlighted by Zscaler in its analysis of the malware in May 2023, noting similarities in the "distribution methods, campaigns, and malware behaviors."
Zscaler在其2023年5月的对恶意软件的分析中曾曾经强调了PikaBot与QakBot的相似之处,指出了"分发方法、活动和恶意软件行为"的相似之处。
DarkGate, for its part, incorporates advanced techniques to evade detection by antivirus systems, alongside capabilities to log keystrokes, execute PowerShell, and implement a reverse shell that allows its operators to commandeer an infected host remotely.
就自身而言,DarkGate整合了先进的技术来逃避杀毒软件系统的检测,以及记录按键、执行PowerShell并实施允许其运营商远程操纵受感染主机的反向Shell的能力。
"The connection is bidirectional, meaning the attackers can send commands and receive responses in real-time, enabling them to navigate the victim's system, exfiltrate data, or perform other malicious actions," Sekoia said in a new technical report of the malware.
"连接是双向的,意味着攻击者可以实时发送命令并接收响应,使他们能够浏览受害者的系统、外泄数据或执行其他恶意操作," Sekoia在有关该恶意软件的新技术报告中说。
Cofense's analysis of the high-volume phishing campaign shows that it targets a wide range of sectors, with the attack chains propagating a booby-trapped URL pointing to a ZIP archive in hijacked email threads.
Cofense对这种大规模网络钓鱼活动的分析显示,它针对一系列各行各业,攻击链通过在被劫持的电子邮件线程中指向一个陷阱网址的ZIP归档文件来传播。
The ZIP archive contains a JavaScript dropper that, in turn, contacts a second URL to download and run either the DarkGate or PikaBot malware.
ZIP归档文件包含一个JavaScript投放器,依次联系第二个URL来下载并运行DarkGate或PikaBot恶意软件。
A noteworthy variant of the attacks has been observed taking advantage of Excel add-in (XLL) files in lieu of JavaScript droppers to deliver the final payloads.
已观察到的攻击的一个值得注意的变种利用了Excel增强组件(XLL)文件,而不是JavaScript投放器来传递最终的载荷。
"A successful DarkGate or PikaBot infection could lead to the delivery of advanced crypto mining software, reconnaissance tools, ransomware, or any other malicious file the threat actors wish to install on a victim's machine," Cofense said.
"成功的DarkGate或PikaBot感染可能会导致交付高级加密挖矿软件、侦察工具、勒索软件或任何其他威胁行为者希望安装在受害者机器上的恶意文件," Cofense说。