December 19, 2023 at 06:33AM
The PikaBot malware loader, previously distributed through malspam campaigns, has now been linked to malvertising targeting users seeking software like AnyDesk. It operates as a backdoor, enabling unauthorized remote access and delivery of other malicious tools. PikaBot is employed by threat actors, including TA577, using sophisticated techniques to evade detection and compromise systems.
Key takeaways from the meeting notes:
1. PikaBot, a malware loader, is being distributed through malvertising campaigns targeting users searching for legitimate software like AnyDesk.
2. PikaBot was previously distributed via malspam campaigns and has emerged as a preferred payload for a threat actor known as TA577.
3. The malware family consists of a loader and a core module, enabling threat actors to gain unauthorized remote access to compromised systems and transmit commands from a command-and-control (C2) server.
4. TA577 is one of the threat actors leveraging PikaBot in its attacks, and they have previously delivered other malware like QakBot, IcedID, and Cobalt Strike.
5. PikaBot is being propagated via malspam campaigns, and the latest initial infection vector is a malicious Google ad for AnyDesk that redirects victims to a fake website hosting a malicious MSI installer.
6. There are fingerprinting mechanisms in place to redirect users to the malicious website and to ensure that the download is not accessible in a virtualized environment.
7. The rise in malvertising includes the dissemination of other loader malware like HiroshimaNukes and FakeBat via malicious ads through Google searches for popular software.
8. Browser-based attacks, including a new Google Chrome extension framework called ParaSiteSnatcher, are being used to infiltrate target networks, particularly in Latin America.
Follow us on Twitter and LinkedIn for more exclusive content.