The malware loader known as PikaBot is distributed as part of a malvertising campaign targeting users searching for legitimate software such as AnyDesk.
“PikaBot was previously only distributed through malicious spam campaigns similar to QakBot and became one of the payloads of choice for TA577 threat actors,” said Jérôme Segura of Malwarebytes.
The malware family first appeared in early 2023 and consists of a loader and a core module that enable it to operate as a distributor of backdoors and other payloads.
This allows threat actors to gain unauthorized remote access to infected systems and transmit commands from command and control (C2) servers, ranging from arbitrary shellcode, DLL or executable files to other malicious tools such as Cobalt Strike).
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
One of the threat actors leveraging PikaBot for attacks is TA577, a prolific cybercriminal threat actor who has implemented QakBot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike in the past.
Last month, it was revealed that PikaBot and DarkGate were being spread through malicious spam campaigns similar to QakBot. “Pikabot infection causes Cobalt Strike on 207.246.99[.]159:443 using masterunis[.]net as its domain” Palo Alto Networks Unit 42 disclosed recent.
The latest initial infection vector is AnyDesk’s malicious Google ads. When victims click on the ads from the search results page, the ads redirect to a fake website called anadesky.ovmv.[.]net points to a malicious MSI installer hosted on Dropbox.
It’s worth pointing out that redirection to the fake website only occurs after the request is fingerprinted, and only if the request does not originate from a virtual machine.
“Threat actors used tracking URLs through legitimate marketing platforms to bypass Google’s security checks and redirect to custom domains behind Cloudflare,” Segura explained. “At this point, only clean IP addresses will be forwarded to the next step.”
Interestingly, when the victim clicks on the download button on the website, a second round of fingerprinting occurs, possibly to ensure that it cannot be accessed in a virtualized environment.
Malwarebytes said the attacks are reminiscent of previously discovered malvertising chains used to spread another loader malware called FakeBat, also known as EugenLoader.
“This is particularly interesting because it points to a common process used by different threat actors,” Segura said. “Perhaps, this is similar to ‘malvertising as a service,’ where Google ads and bait pages are served to malware distributors.”
該資訊披露之際,這家網路安全公司表示,透過谷歌搜尋Zoom、Advanced IP Scanner 和WinSCP 等流行軟體,發現惡意廣告激增,這些軟體提供了一種名為HiroshimaNukes 和FakeBat 的前所未見的加載program.
“[HiroshimaNukes] Multiple techniques are used to bypass detection ranging from DLL sideloading to very large payloads,” Segura said. “The goal is to remove other malware, usually stealers, and then perform data exfiltration.”
The rise in malvertising demonstrates how browser-based attacks serve as conduits to penetrate target networks. Also included is a new Google Chrome extension framework codenamed ParaSiteSnatcher, which allows threat actors to “monitor, manipulate and steal highly sensitive information from multiple sources.”
This malicious extension is specifically designed to harm users in Latin America. It is worth noting that it uses Chrome browser APIs to intercept and exfiltrate all POST requests containing sensitive account and financial information. It is downloaded via VBScript downloaders hosted on Dropbox and Google Cloud and installed on infected systems.
Trend Micro said last month: “Once installed, the extension will appear with the help of broad permissions enabled through Chrome Extensions, allowing it to manipulate network sessions, network requests, and track using the Chrome Tab API User interaction between multiple tabs.”
“The malware includes various components that facilitate its operations, content scripts capable of injecting malicious code into web pages, monitoring Chrome tabs, and intercepting user input and web browser communications.”