New malvertising campaign distributing PikaBot disguised as popular software

Malvertising Campaign

The malware loader known as PikaBot is distributed as part of a malvertising campaign that targets users searching for legitimate software such as AnyDesk.

“PikaBot was previously only distributed through malspam campaigns, similar to QakBot, and emerged as one of the favored payloads for a threat actor known as TA577,” said Jérôme Segura of Malwarebytes. said.

The malware family, that First popped up will consist of a charger and a core module in early 2023 that will allow it to function both as a back door and a distributor for other loads.

This allows the threat actors to gain unauthorized remote access to compromised systems and send commands from a command-and-control (C2) server, ranging from arbitrary shellcode, DLLs, or executables to other malicious tools such as Cobalt Strike.

One of the threat actors that use PikaBot in its attacks is TA577a prolific cybercrime player that has delivered QakBot, IcedID, SystemBC, SmokeLoader, Ursnif and Cobalt Strike in the past.

Last month, it emerged that PikaBot, along with DarkGate, is being distributed through malspam campaigns similar to QakBot’s. “Pikabot infection led to Cobalt Strike on 207.246.99[.]159:443 with master unis[.]just like his domain”, Palo Alto Networks Unit 42 revealed recently.

The latest initial infection vector is a malicious Google ad for AnyDesk that, when clicked by a victim from the search results page, redirects to a fake website called anadesky.ovmv[.]net that points to a malicious MSI installer hosted on Dropbox.

It is worth pointing out that the redirection to the fake website only occurs after fingerprinting the request, and only if it does not come from a virtual machine.

“The threat actors bypass Google’s security controls with a tracking URL through a legitimate marketing platform to redirect to their custom domain behind Cloudflare,” Segura explains. “At this time, only clean IP addresses are forwarded to the next step.”

Interestingly, a second round of fingerprinting takes place when the victim clicks the download button on the website, likely in an additional effort to ensure that it cannot be accessed in a virtualized environment.

Malwarebytes said the attacks are reminiscent of previously identified malvertising chains used to distribute another loader malware known as FakeBat (also known as EugenLoader).

Malvertising campaign

“This is especially interesting because it points to a common process used by different threat actors,” Segura said. “Maybe this is something like ‘malvertising-as-a-service’, where Google ads and lure pages are served to malware distributors.”

This revelation comes as the cybersecurity firm said it had detected a spike in malicious ads via Google searches for popular software such as Zoom, Advanced IP Scanner and WinSCP to deliver a never-before-seen loader called HiroshimaNukes and FakeBat.

“It uses several techniques to evade detection of DLL side-loading up to very large payloads,” says Segura said. “The goal is to drop additional malware, usually a stealer followed by data exfiltration.”

The rise in malvertising is indicative of how browser-based attacks act as channels for infiltrating target networks. This also includes a new Google Chrome extension framework codenamed ParaSiteSnatcher, which allows threat actors to “monitor, manipulate and exfiltrate highly sensitive information from multiple sources.”

The rogue extension is specifically designed to compromise users in Latin America and is notable for using the Chrome Browser API to intercept and exfiltrate all POST requests containing sensitive account and financial information. It is downloaded via a VBScript downloader hosted on Dropbox and Google Cloud and installed on an infected system.

“Once installed, the extension manifests itself using extended permissions enabled through the Chrome extension, allowing it to manipulate web sessions and web requests and track user interactions across multiple tabs using the Chrome Tabs API,” says Trend Micro . said last month.

“The malware includes several components that facilitate its operation, content scripts that allow injecting malicious code into web pages, monitoring Chrome tabs, and intercepting user input and web browser communications.”


#malvertising #campaign #distributing #PikaBot #disguised #popular #software

Notify of
Inline Feedbacks
View all comments
Previous Post
Iranian Hackers

Iranian hackers use MuddyC2Go in telecom espionage attacks across Africa

Next Post
WebLogic Server Vulnerability

8220 gang exploits vulnerability of Oracle WebLogic servers to spread malware

Related Posts