A concerning malvertising campaign has surfaced, masquerading PikaBot as sought-after software like AnyDesk, marking a significant shift in its distribution tactics. PikaBot previously associated with malspam campaigns akin to QakBot, has now become a preferred payload for the infamous threat actor TA577.
PikaBot, an evolving malware family introduced in early 2023, showcases a loader and core module, empowering it to function both as a backdoor and a distributor for other malicious payloads. This allows threat actors unprecedented unauthorized remote access to compromised systems, enabling the execution of arbitrary commands from a command-and-control (C2) server. These commands span from arbitrary shellcode to DLLs, executables, and even advanced tools like Cobalt Strike.
Among the entities harnessing PikaBot’s capabilities in their attacks, TA577 stands prominent. Renowned for delivering a roster of notorious malware such as QakBot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike, TA577 leverages PikaBot as a potent weapon in their cybercrime endeavors.
Recent revelations detailed the propagation channels for PikaBot, elucidating its connection with DarkGate and their dissemination via malspam campaigns, mirroring the tactics of QakBot. These campaigns resulted in PikaBot triggering Cobalt Strike through specific domains and IPs.
The latest method of initial infection involves a devious redirection tactic. A deceptive Google ad posing as AnyDesk leads victims to a counterfeit website (anadesky.ovmv[.]net) that, upon inspection, redirects to a malicious MSI installer hosted on Dropbox. Notably, this redirection only materializes after scrutinizing the request and ensuring it originates from a non-virtual machine, evading detection measures.
Further evincing the complex evasion techniques, a second layer of fingerprinting occurs upon the victim clicking the download button, further avoiding virtualized environments.
Researcher highlighted these attacks’ similarity to previously identified malvertising chains distributing another loader malware, FakeBat (aka EugenLoader). This observation suggests a standardized process adopted by diverse threat actors, hinting at a potential ‘malvertising-as-a-service’ model providing malicious actors with Google ads and decoy pages.
Simultaneously, a concerning uptick in malicious ads surfaced through Google searches for popular software like Zoom, Advanced IP Scanner, and WinSCP. These searches delivered a previously unseen loader dubbed HiroshimaNukes, employing diverse techniques to bypass detection and drop additional malware, usually stealers followed by data exfiltration.
The escalating prevalence of malvertising underscores the expanding avenue of browser-based attacks as a gateway to infiltrate networks. Adding to these concerns, a new Google Chrome extension framework, ParaSiteSnatcher, specifically targeting Latin American users, poses severe threats by intercepting sensitive information and manipulating web sessions using Chrome’s APIs.
Trend Micro’s recent discovery highlighted ParaSiteSnatcher’s capabilities, allowing malicious actors to intercept, manipulate, and exfiltrate highly sensitive information, emphasizing the critical importance of robust cybersecurity measures and constant vigilance against such multifaceted threats.
Mitigate the risk of falling victim to malvertising by using ad blockers or script blockers in web browsers to reduce exposure to malicious ads. Exercise caution when clicking on ads or download links, especially from unfamiliar or suspicious sources. Regularly update your antivirus and antimalware software to detect and remove potential threats. Implement a robust cybersecurity strategy, including educating users about the dangers of clicking on unknown links or downloading software from unverified sources, to fortify against evolving malware distribution techniques.