New Malvertising Campaign for the Holidays

12336868687?profile=RESIZE_400xThe malware loader PikaBot is being distributed as part of a malvertising campaign targeting users searching for legitimate software like AnyDesk.  PikaBot was previously only distributed via malspam campaigns, similar to QakBot, and emerged as one of the preferred payloads for a threat actor known as TA577.  The malware family, which first appeared in early 2023, consists of a loader and a core module that allows it to operate as a backdoor and a distributor for other payloads.

See:  https://redskyalliance.org/xindustry/qaknote

This enables the threat actors to gain unauthorized remote access to compromised systems and transmit commands from a command-and-control (C2) server, ranging from arbitrary shellcode, DLLs, or executable files to other malicious tools such as Cobalt Strike.  One of the threat actors leveraging PikaBot in its attacks is TA577, a prolific cybercrime threat actor that has, in the past, delivered QakBot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.[1]

During November 2023, it emerged that PikaBot and DarkGate are being propagated via malspam campaigns mirroring that of QakBot. "Pikabot infection led to Cobalt Strike on 207.246.99[.]159:443 using masterunis[.]net as its domain, according to researchers.  The latest initial infection vector is a malicious Google ad for AnyDesk that, when clicked by a victim from the search results page, redirects to a fake website named anadesky.ovmv[.]net that points to a malicious MSI installer hosted on Dropbox.

The redirection to the bogus website only occurs after fingerprinting the request and only if it's not originating from a virtual machine.  The threat actors bypass Google's security checks with a tracking URL via a legitimate marketing platform to redirect to their custom domain behind Cloudflare.  At this point, only clean IP addresses are forwarded to the next step.  A second round of fingerprinting takes place when the victim clicks on the download button on the website, likely in an attempt to ensure that it is not accessible in a virtualized environment.  The attacks are reminiscent of previously identified malvertising chains employed to disseminate another loader malware, FakeBat (aka EugenLoader).

This is particularly interesting because it points towards a common process different threat actors use.  This could be something akin to Malvertising-as-a-Service, where Google ads and decoy pages are provided to malware distributors.  This disclosure comes as the investigators said they detected a spike in malicious ads through Google searches for popular software like Zoom, Advanced IP Scanner, and WinSCP to deliver a previously never-before-seen loader called HiroshimaNukes and FakeBat.  It uses several techniques to bypass detection from DLL side-loading to very large payloads. The goal is to drop additional malware, typically a stealer, followed by data exfiltration.

The rise in malvertising indicates how browser-based attacks act as channels for infiltrating target networks. This also includes a new Google Chrome extension framework codenamed ParaSiteSnatcher, which allows threat actors to "monitor, manipulate, and exfiltrate highly sensitive information from multiple sources."

Specifically designed to compromise users in Latin America, the rogue extension is noteworthy for its use of the Chrome Browser API to intercept and exfiltrate all POST requests containing sensitive account and financial information. It's downloaded through a VBScript downloader hosted on Dropbox and Google Cloud and installed onto an infected system.  Once installed, the extension manifests with the help of extensive permissions enabled through the Chrome extension, allowing it to manipulate web sessions and web requests and track user interactions across multiple tabs using the Chrome tabs API.  The malware includes various components that facilitate its operation, content scripts that enable malicious code injection into web pages, monitor Chrome tabs, and intercept user input and web browser communication.

 

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Call for assistance.  For questions, comments, a demo or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com   

Reporting: https://www.redskyalliance.org/

Website: https://www.redskyalliance.com/

LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632

 

[1]

https://thehackernews.com/2023/12/new-malvertising-campaign-distributing.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!