Two sentences: PikaBot is being spread through a malvertising campaign that directs users searching for legitimate software (like AnyDesk) to a fake site and a malicious MSI hosted on Dropbox. TA577 is a key actor using PikaBot as a loader/backdoor to deploy other payloads such as Cobalt Strike, with VM-detection and anti-bypass techniques to aid infection. Hashtags: #PikaBot #TA577 #AnyDesk #CobaltStrike #DarkGate #HiroshimaNukes
Keypoints
- PikaBot is distributed via malvertising campaigns that exploit search results for legitimate software like AnyDesk.
- TA577 is a prolific threat actor linked to delivering multiple payloads and tools, including QakBot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.
- The infection chain uses a malicious Google ad leading to a fake site and a malicious MSI installer hosted on Dropbox.
- Victims are fingerprinted to determine if the environment is a VM, with redirection occurring only if not in a virtual machine.
- PikaBot functions as both a loader and a backdoor to transmit commands from a C2 server (e.g., to deliver DLLs, shellcode, or Cobalt Strike).
- A Chrome extension framework called ParaSiteSnatcher is used to monitor, manipulate, and exfiltrate sensitive information from multiple sources.
MITRE Techniques
- [T1189] Drive-by Compromise – Malvertising redirects victims from a search results page to a fake site hosting a malicious MSI installer. “The latest initial infection vector is a malicious Google ad for AnyDesk that, when clicked by a victim from the search results page, redirects to a fake website named anadesky.ovmv[.]net that points to a malicious MSI installer hosted on Dropbox.”
- [T1497] Virtualization/Sandbox Evasion – The campaign fingerprints the environment and proceeds only if not originating from a virtual machine. “fingerprinting the request, and only if it’s not originating from a virtual machine.”
- [T1105] Ingress Tool Transfer – The payload is delivered via a downloader hosted on Dropbox (malicious MSI). “malicious MSI installer hosted on Dropbox.”
- [T1056] Input Capture – The Chrome extension component monitors and intercepts user inputs and web browser communication. “monitor Chrome tabs, and intercept user input and web browser communication.”
- [T1567] Exfiltration to Web Services – The ParaSiteSnatcher extension is designed to exfiltrate highly sensitive information through browser activity. “monitor, manipulate, and exfiltrate highly sensitive information from multiple sources.”
- [T1071.001] Web Protocols – C2 communications to issue commands and deliver payloads (e.g., Cobalt Strike) from a remote server. “transmit commands from a command-and-control (C2) server, ranging from arbitrary shellcode, DLLs, or executable files, to other malicious tools such as Cobalt Strike.”
Indicators of Compromise
- [IP] 207.246.99.159 – C2-related destination used by the Pikabot/Cobalt Strike activity (appears as 207.246.99[.]159:443 in the narrative)
- [Domain] masterunis.net – C2/domain reference linked to the Pikabot campaign
- [Domain] anadesky.ovmv.net – Fake site used in the malvertising chain to host the MSI
- [Domain] dropbox.com (host for the malicious MSI installer on Dropbox)
Read more: https://thehackernews.com/2023/12/new-malvertising-campaign-distributing.html