According to Malwarebytes, PikaBot is a new malware family that appeared in early 2023 and is distributed via malvertising. The campaign targets Google searches for the remote application AnyDesk, and users are tricked into downloading a zip archive containing a malicious JavaScript. PikaBot's core module is then injected into the legitimate SearchProtocolHost.exe process, making the malware very stealthy. PikaBot is being used by a threat actor known as TA577, who has been associated with ransomware distribution and has delivered payloads such as QakBot, IcedID, SystemBC, and Cobalt Strike. The distribution of PikaBot via malvertising is part of an increase in the use of malicious ads to drop malware targeting businesses. Criminals have found success in acquiring new victims thanks to search ads, and there are specialized services that help malware distributors and affiliates to bypass Google's security measures and set up a decoy infrastructure.
IoC
SHA256
- 0e81a36141d196401c46f6ce293a370e8f21c5e074db5442ff2ba6f223c435f5
- 69281eea10f5bfcfd8bc0481f0da9e648d1bd4d519fe57da82f2a9a452d60320
- da81259f341b83842bf52325a22db28af0bc752e703a93f1027fa8d38d3495ff
IPv4
- 139.99.222.29
- 172.232.162.198
- 172.232.164.77
- 172.232.186.251
- 54.37.79.82
- 57.128.108.132
- 57.128.109.221
- 57.128.164.11
- 57.128.83.129
REFERENCES
- https://www.bankinfosecurity.com/pikabot-targets-enterprises-via-malicious-search-ads-a-23921
- https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads?&web_view=true
- https://otx.alienvault.com/pulse/65819f633436715278bf719e
TAGS
PikaBot, Search Ads
No comments:
Post a Comment