ORC Webhosting GmbH Landquart/Switzerland

Dynamite phishing - After Emotet and Qakbot now follows DarkGate

Alerts and information from the National Cyber Security Center NCSC.

The National Cyber Security Center (NCSC) again alerted to an increase in dangerous emails after a brief hiatus over the past two weeks. These emails use text passages from previous email correspondences to trick recipients into believing that previous contact has been made. Since both the sender and the previous communication are familiar to the victim, the likelihood increases that the victim will click on a link contained in the email, leading to the installation of malware. In this case, it is "DarkGate," a malware with advanced features and a mechanism that invites ransomware.

The deception tactic: old email communication as a weapon

The method of using old communication histories to perform deceptions is not new. Already in 2019, the "Emotet" malware used this technique, known as "dynamite phishing", to trick victims into opening a document. The malware searched for emails in victims' Outlook files on infected devices and used them to send the malware to more potential victims. Since the old communication is known to the recipient, the likelihood that the malicious attachment was opened increased.

The legacy of "Emotet" malware and the continuation with "Qakbot

After the temporary deactivation of the "Emotet" network in early 2021, the "Qakbot" malware took over this method by using the old communication. Although "Qakbot" had already been in use for over ten years, it was temporarily spread via the "Emotet" network as an additional malicious module. Interestingly, in the summer of 2020, the "Qakbot" authors implemented a so-called "email collection module," which used stolen credentials to extract emails from victims' Microsoft Outlook clients and use them for further attacks.

In August 2023, "Qakbot" met a similar fate to "Emotet." Law enforcement agencies in the US and Europe took control of the botnet's command and control infrastructure. As a result, the attackers lost control of the infected PCs. However, those behind it were not caught, and the spam infrastructure was only partially dismantled.

Rise of "DarkGate": A new threat with advanced features

In recent weeks, "DarkGate" has come into focus because this malware uses the technique of old communication. In this case, a PDF document containing a link to the malware is attached to the spam message.

"DarkGate" has been active since 2017, but it was only this summer that the malware gained wider notoriety when the alleged developer announced new features. These features go beyond those of a traditional downloader and include hidden remote access, a reverse proxy and a Discord token stealer, as well as the ability to steal browsing history. It is believed that criminal groups that previously used "Qakbot" have now switched to "DarkGate".

Old communication, new abuse

It is worth noting that in the latest variants of the malware, some of the communications used are very old. In this case, it dates back to 2017, so it can be assumed that the malware is not currently intercepting any current email communications, but is relying on databases that were stolen years ago by other actors.

Email with a malicious PDF file referring to an old communication from 2017.
Email with a malicious PDF file referring to an old communication from 2017.
When opening the PDF file, one is prompted to press the "Open" button. After that, you will be directed to download the malware.
When opening the PDF file, one is prompted to press the "Open" button. After that, you will be directed to download the malware.

According to a report by security service provider Trendmicro, "DarkGate" additionally uses other communication channels and spreads via hacked Skype and Microsoft Teams accounts, for example. Similar to the email tactic, the compromised Skype account has had previous contact with the victim and apparently provides a PDF file. However, in reality, it is a malicious VB (Visual Basic Script) script. This script then attempts to download and install the malware.

The NCSC offers the following advice to protect against malware infections:

  1. Be aware that malicious emails can also come from senders that look familiar to you.
  2. Be alert if a previously interrupted communication is unexpectedly resumed.
  3. Open email attachments with caution, even if they come from supposedly trusted sources.

Source link

This information is courtesy of the National Cyber Security Centre (NCSC). Visit the NCSC's official website for more in-depth cybersecurity information and resources: www.ncsc.admin.ch.

Silvio Mazenauer

Silvio Mazenauer

For more than 20 years, I've been helping our customers get up to speed with web hosting, domains, websites or cPanel. And I'm here to help you too.

Stay up to date:

Here you will find useful and interesting information about domains, web hosting, SEO, WordPress and much more. ....

Also interesting

Your FREE digital work platform. With XtraMail you have your office with you everywhere.

Experience your eMail like never before with XtraMail.

Your email solution for private and business: XtraMail Webmail. With e-mails, video conferences, documents, calendars, contacts and a mobile app - plus over 40 other useful functions.