Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
A newly discovered malware exploits victims inattention to break into their systems.
According to a new report from Malwarebytes, the PikaBot malware downloader is being distributed as part of a malicious Google Ads campaign aimed at users searching the Internet for AnyDesk. Previously, PikaBot was distributed by phishing.
PikaBot, which first appeared in early 2023, is a combination of a bootloader and a core module that allows it to act as a backdoor and spread other malware. Attackers using PikaBot can gain unauthorized remote access to compromised systems and transmit various commands from the C2 server, ranging from arbitrary shellcode, DLL libraries, executable files, and ending with other malicious tools, including Cobalt Strike.
As a new attack vector, the attackers use a fraudulent AnyDesk ad in Google for AnyDesk, redirecting victims to the fake site anadesky. ovmv [.] net. This site downloads a malicious MSI installer hosted on Dropbox. Interestingly, redirection occurs only after analyzing the request (fingerprinting the request) and if it does not originate from the VM.
Campaign site redirects
Malwarebytes notes that attackers bypass Google's security systems by using tracking URLs through legitimate marketing platforms, and redirect to their domains behind Cloudflare. At the same time, only requests with "clean" IP addresses go to the next stage.
An additional stage of analysis occurs when you click on the download button on a fake site, which, apparently, is an attempt to make sure that access to the site in a virtualized environment is closed. The attacks resemble previously identified malicious ad chains used to distribute the FakeBat (EugenLoader) downloader.
The attack is particularly interesting because it points to a common process used by different threat actors. Perhaps this is something like "malvertising - as-a-service", where Google ads and fake pages are provided to malware distributors.
The disclosure of the scheme for distributing PikaBot and other malware through malicious ads on Google underscores the importance of vigilance in today's digital world. Given how cybercriminals use advanced techniques to bypass security systems and mask their attacks, users should be especially careful when searching for and downloading software. It is important to pay attention to suspicious ads and websites, and use reliable sources to download apps.
According to a new report from Malwarebytes, the PikaBot malware downloader is being distributed as part of a malicious Google Ads campaign aimed at users searching the Internet for AnyDesk. Previously, PikaBot was distributed by phishing.
PikaBot, which first appeared in early 2023, is a combination of a bootloader and a core module that allows it to act as a backdoor and spread other malware. Attackers using PikaBot can gain unauthorized remote access to compromised systems and transmit various commands from the C2 server, ranging from arbitrary shellcode, DLL libraries, executable files, and ending with other malicious tools, including Cobalt Strike.
As a new attack vector, the attackers use a fraudulent AnyDesk ad in Google for AnyDesk, redirecting victims to the fake site anadesky. ovmv [.] net. This site downloads a malicious MSI installer hosted on Dropbox. Interestingly, redirection occurs only after analyzing the request (fingerprinting the request) and if it does not originate from the VM.
Campaign site redirects
Malwarebytes notes that attackers bypass Google's security systems by using tracking URLs through legitimate marketing platforms, and redirect to their domains behind Cloudflare. At the same time, only requests with "clean" IP addresses go to the next stage.
An additional stage of analysis occurs when you click on the download button on a fake site, which, apparently, is an attempt to make sure that access to the site in a virtualized environment is closed. The attacks resemble previously identified malicious ad chains used to distribute the FakeBat (EugenLoader) downloader.
The attack is particularly interesting because it points to a common process used by different threat actors. Perhaps this is something like "malvertising - as-a-service", where Google ads and fake pages are provided to malware distributors.
The disclosure of the scheme for distributing PikaBot and other malware through malicious ads on Google underscores the importance of vigilance in today's digital world. Given how cybercriminals use advanced techniques to bypass security systems and mask their attacks, users should be especially careful when searching for and downloading software. It is important to pay attention to suspicious ads and websites, and use reliable sources to download apps.
