PikaBot Malware Strikes: Malvertising Campaign Targets AnyDesk Users

by | Dec 19, 2023 | News

Post Views: 587

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

A new malware loader known as PikaBot has been identified as part of a malvertising campaign that specifically targets users searching for legitimate software such as AnyDesk. According to Jérôme Segura of Malwarebytes, PikaBot, previously distributed via malspam campaigns, has now emerged as a preferred payload for the threat actor TA577.

This malware family, which made its first appearance in early 2023, consists of a loader and a core module that enables it to function as a backdoor and distribute other payloads. This allows threat actors to gain unauthorized remote access to compromised systems and execute commands from a command-and-control (C2) server, including the transmission of malicious tools such as Cobalt Strike.

TA577, a prolific cybercrime threat actor, has been identified as one of the threat actors leveraging PikaBot in its attacks. In the past, TA577 has delivered various malware, including QakBot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Recent reports have revealed that PikaBot, along with DarkGate, is being propagated via malspam campaigns similar to those of QakBot. Palo Alto Networks Unit 42 disclosed that PikaBot infections have led to Cobalt Strike, using specific domains for its operations.

The latest initial infection vector involves a malicious Google ad for AnyDesk, which, when clicked, redirects victims to a fake website hosting a malicious MSI installer on Dropbox. Notably, the redirection to the bogus website occurs after fingerprinting the request, and only if it’s not originating from a virtual machine.

Malwarebytes has highlighted that these attacks bear resemblance to previously identified malvertising chains used to disseminate another loader malware known as FakeBat (aka EugenLoader). This suggests a common process used by different threat actors, possibly indicating a form of ‘malvertising-as-a-service’ where Google ads and decoy pages are provided to malware distributors.

The rise in malvertising activities has been accompanied by the detection of a spike in malicious ads through Google searches for popular software, leading to the delivery of a previously unseen loader called HiroshimaNukes as well as FakeBat. These attacks utilize various techniques to bypass detection and aim to drop additional malware, typically a stealer followed by data exfiltration.

Trending: Recon Tool: PassDetective

Furthermore, the emergence of a new Google Chrome extension framework codenamed ParaSiteSnatcher has raised concerns, as it allows threat actors to monitor, manipulate, and exfiltrate highly sensitive information from multiple sources, particularly targeting users in Latin America.

Trend Micro has reported that this rogue extension, downloaded through a VBScript downloader hosted on Dropbox and Google Cloud, is installed onto infected systems, enabling extensive permissions to manipulate web sessions, intercept user input, and track user interactions across multiple tabs using the Chrome tabs API.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com

Source Link