Introduction:
The threat landscape is ever-changing, and organizations’ cybersecurity posture becomes more vulnerable with the arrival of PikaBot malware. The report gives a glimpse of PikaBot including its distribution techniques, threat actors involved, and its most recent attack vector.
Malware overview:
PikaBot is a highly sophisticated loader that emerged in early 2023. As a backdoor and distributor of other payloads, it works both as a loader and as a core module. It is used by well-known cyber actor TA577 who typically deploys various malwares like QakBot, IcedID, Cobalt Strike etc., which pose great danger to companies due to allowing unlawful remote access to compromised hosts.
Upgrade and new threat vector:
The most recent threat vector pertains to malvertising campaign aimed at users looking for genuine software like AnyDesk. Instead of the typical malspam, this malware now disappears from malicious Google ads landing on fake webpages with an explicit MSI installer being hosted on Dropbox. The above approach shows that firms must change their security systems to recognize and deal with malvertising-related threats.
Indicators of Compromise (IOCs):
| Type | Value | Count |
| File hashes | SHA1: | db9007656a5bedd0f734f4a797eaebdcff726874 |
| SHA256 (1): | 5a5154c5843a18d3912063b827ef541a709aec4132b847d75d7e634683acff8d | |
| SHA256 (2): | b6269018ac32484bdc093a6bec324fc9aa7990104a297f55600d31bff95ed6fd | |
| IP addresses | 102.129.139.65 | |
| 144.64.204.81 | ||
| 167.86.96.3 | ||
| 38.242.240.28 | ||
| 45.131.108.250 | ||
| 79.141.175.96 | ||
| URLs | https://102.129.139.65 | |
| https://144.64.204.81 | ||
| https://167.86.96.3 | ||
| https://38.242.240.28 | ||
| https://45.131.108.250 | ||
| https://79.141.175.96 | ||
| https://aipccoaching.com/nide/ | ||
| Domains | 2fgithub.com (Count: 152) | 152 |
| aipccoaching.com (Count: 2) | 2 |
Preventive measures:
- User education: The users have to be informed how risky is to click suspicious ads and download software from suspicious sites.
- Network security: Apply strong network security mechanisms like the intrusion detection system (IDS) and prevention system (IPS) that can detect and check against cyber-attacks.
- Endpoint protection: Update endpoint protection solutions to recognize and block PikaBot as well as similar threats.
- Regular updates: Patch all software programs, including security systems in order to close existing loopholes which can be utilized by attackers.
- Threat intelligence integration: Create a threat intelligence feed that will allow the company to keep up with emerging threats thus modifying their strategies correspondingly.
Conclusion:
They employ different strategies; thus, organizations need to be aware of newer methods in cyber security that are coming up. By refining SIEM rules, educating users and taking preventive measures, there is a chance to decrease the risks associated with advanced threats like PikaBot. Continuous monitoring and responding to new risks will help maintain a strong cybersecurity posture.
Reference:
https://otx.alienvault.com/pulse/651db0893476731ba8cbf8ce
https://thehackernews.com/2023/12/new-malvertising-campaign-distributing.html
