The National Cyber Security Center (NCSC) again alerted to an increase in dangerous emails after a brief hiatus over the past two weeks. These emails use text passages from previous email correspondences to trick recipients into believing that previous contact has been made. Since both the sender and the previous communication are familiar to the victim, the likelihood increases that the victim will click on a link contained in the email, leading to the installation of malware. In this case, it is "DarkGate," a malware with advanced features and a mechanism that invites ransomware.
The deception tactic: old email communication as a weapon
The method of using old communication histories to perform deceptions is not new. Already in 2019, the "Emotet" malware used this technique, known as "dynamite phishing", to trick victims into opening a document. The malware searched for emails in victims' Outlook files on infected devices and used them to send the malware to more potential victims. Since the old communication is known to the recipient, the likelihood that the malicious attachment was opened increased.
The legacy of "Emotet" malware and the continuation with "Qakbot
After the temporary deactivation of the "Emotet" network in early 2021, the "Qakbot" malware took over this method by using the old communication. Although "Qakbot" had already been in use for over ten years, it was temporarily spread via the "Emotet" network as an additional malicious module. Interestingly, in the summer of 2020, the "Qakbot" authors implemented a so-called "email collection module," which used stolen credentials to extract emails from victims' Microsoft Outlook clients and use them for further attacks.
In August 2023, "Qakbot" met a similar fate to "Emotet." Law enforcement agencies in the US and Europe took control of the botnet's command and control infrastructure. As a result, the attackers lost control of the infected PCs. However, those behind it were not caught, and the spam infrastructure was only partially dismantled.
Rise of "DarkGate": A new threat with advanced features
In recent weeks, "DarkGate" has come into focus because this malware uses the technique of old communication. In this case, a PDF document containing a link to the malware is attached to the spam message.
"DarkGate" has been active since 2017, but it was only this summer that the malware gained wider notoriety when the alleged developer announced new features. These features go beyond those of a traditional downloader and include hidden remote access, a reverse proxy and a Discord token stealer, as well as the ability to steal browsing history. It is believed that criminal groups that previously used "Qakbot" have now switched to "DarkGate".
Old communication, new abuse
It is worth noting that in the latest variants of the malware, some of the communications used are very old. In this case, it dates back to 2017, so it can be assumed that the malware is not currently intercepting any current email communications, but is relying on databases that were stolen years ago by other actors.
According to a report by security service provider Trendmicro, "DarkGate" additionally uses other communication channels and spreads via hacked Skype and Microsoft Teams accounts, for example. Similar to the email tactic, the compromised Skype account has had previous contact with the victim and apparently provides a PDF file. However, in reality, it is a malicious VB (Visual Basic Script) script. This script then attempts to download and install the malware.
The NCSC offers the following advice to protect against malware infections:
- Be aware that malicious emails can also come from senders that look familiar to you.
- Be alert if a previously interrupted communication is unexpectedly resumed.
- Open email attachments with caution, even if they come from supposedly trusted sources.
This information is courtesy of the National Cyber Security Centre (NCSC). Visit the NCSC's official website for more in-depth cybersecurity information and resources: www.ncsc.admin.ch.