PikaBot malware has emerged as a formidable player, stealthily making its presence felt through a malvertising campaign.
This insidious loader, initially associated with malspam campaigns resembling QakBot, has now taken center stage in a malvertising endeavor targeting unsuspecting users seeking legitimate software like AnyDesk.
Loader and Core Module
This malware, a newcomer to the scene since early 2023, boasts a two-pronged attack strategy. Comprising a loader and a core module, PikaBot operates not only as a backdoor but also as a distributor for other malicious payloads.
This dual functionality enables threat actors to infiltrate systems, gaining unauthorized remote access while serving as a conduit for various malicious tools, including the notorious Cobalt Strike.
TA577: Prolific Threat Actor Embraces PikaBot
TA577, a cybercrime threat actor with a prolific track record, is at the heart of these operations. Known for delivering a sinister array of threats, including QakBot, IcedID, and Cobalt Strike, TA577 has now added PikaBot to its arsenal.
This threat actor’s utilization of PikaBot in recent attacks signifies a dangerous escalation in the sophistication of malvertising tactics.
Infiltration Tactics
The latest victim vector involves a malicious Google ad masquerading as AnyDesk. Upon clicking, the unsuspecting user is redirected to a deceptive website, anadesky.ovmv[.]net, which, in turn, points to a malicious MSI installer on Dropbox.
Malvertising-as-a-Service: A Disturbing Trend
The modus operandi behind these attacks raises eyebrows, hinting at a potentially disturbing trend in the cyber underworld.
Could this be a ‘malvertising-as-a-service,’ where threat actors leverage Google ads and decoy pages to facilitate malware distribution seamlessly?
Muddy Waters Stealth Tactics
MuddyWater has once again arrived with the deployment of a newly uncovered command-and-control (C2) framework named MuddyC2Go.
This sophisticated tool has been wielded in targeted attacks on the telecommunications sector, with Egypt, Sudan, and Tanzania falling victim to its insidious reach.
Muddy Waters Cyber Espionage
Operating under Seedworm, this cyber-espionage group has been a persistent player in the field since at least 2017. Known by various monikers such as Boggy Serpens, Cobalt Ulster, and ITG17, Seedworm’s affiliation with Iran’s Ministry of Intelligence and Security (MOIS) is a cause for concern.
The recent revelation by the Symantec Threat Hunter Team sheds light on MuddyC2Go as the latest addition to Seedworm’s formidable toolkit.
The modus operandi involves a Golang-based executable equipped with a PowerShell script, seamlessly connecting to Seedworm’s C2 server. This strategic move grants threat actors remote access to the victim system, eliminating the need for manual execution.
Symantec’s Insight
Symantec’s documentation of these intrusions sheds light on the targeted assault on a telecommunications organization.
The deployment of the MuddyC2Go launcher facilitated contact with an actor-controlled server, complemented by the use of legitimate remote access tools like AnyDesk and SimpleHelp.
A prior compromise in 2023 revealed the adversary’s adept use of SimpleHelp to launch PowerShell, deliver proxy software, and install the JumpCloud remote access tool.
Living Off the Land!
In its pursuit of strategic objectives, Seedworm employs bespoke tools, living-off-the-land techniques, and publicly available resources. This eclectic toolbox is carefully curated to evade detection, emphasizing the group’s commitment to remaining under the radar.
So all we have to do is to tackle and prevent. Again, being secure is our role for our well-being and society.
Marrium Akhtar
December 20, 2023
4 months ago
