Jan 09, 2024NewsroomMalware / Cyber Threat

A threat actor called Water Curupira has been observed actively distributing the PikaBot loader malware as part of spam campaigns in 2023.

“PikaBot’s operators ran phishing campaigns, targeting victims via its two components — a loader and a core module — which enabled unauthorized remote access and allowed the execution of arbitrary commands through an established connection with their command-and-control (C&C) server,” Trend Micro said in a report published today.

The activity began in the first quarter of 2023 that lasted till the end of June, before ramping up again in September. It also overlaps with prior campaigns that have used similar tactics to deliver QakBot, specifically those orchestrated by cybercrime groups known as TA571 and TA577.

It’s believed that the increase in the number of phishing campaigns related to PikaBot is the result of QakBot’s takedown in August, with DarkGate emerging as another replacement.

PikaBot is primarily a loader, which means it’s designed to launch another payload, including Cobalt Strike, a legitimate post-exploitation toolkit that typically acts as a precursor for ransomware deployment.

The attack chains leverage a technique called email thread hijacking, employing existing email threads to trick recipients into opening malicious links or attachments, effectively activating the malware execution sequence.

The ZIP archive attachments, which either contain JavaScript or IMG files, are used as a launchpad for PikaBot. The malware, for its part, checks the system’s language and halts execution should it be either Russian or Ukrainian.

In the next step, it collects details about the victim’s system and forwards them to a C&C server in JSON format. Water Curupira’s campaigns are for the purpose of dropping Cobalt Strike, which subsequently lead to the deployment of Black Basta ransomware.

“The threat actor also conducted several DarkGate spam campaigns and a small number of IcedID campaigns during the early weeks of the third quarter of 2023, but has since pivoted exclusively to PikaBot,” Trend Micro said.

Jan 08, 2024NewsroomMalware / Cybercrime

Threat actors operating under the name Anonymous Arabic have released a remote access trojan (RAT) called Silver RAT that’s equipped to bypass security software and stealthily launch hidden applications.

“The developers operate on multiple hacker forums and social media platforms, showcasing an active and sophisticated presence,” cybersecurity firm Cyfirma said in a report published last week.

The actors, assessed to be of Syrian origin and linked to the development of another RAT known as S500 RAT, also run a Telegram channel offering various services such as the distribution of cracked RATs, leaked databases, carding activities, and the sale of Facebook and X (formerly Twitter) bots.

The social media bots are then utilized by other cyber criminals to promote various illicit services by automatically engaging with and commenting on user content.

In-the-wild detections of Silver RAT v1.0 were first observed in November 2023, although the threat actor’s plans to release the trojan were first made official a year before. It was cracked and leaked on Telegram around October 2023.

The C#-based malware boasts of a wide range of features to connect to a command-and-control (C2) server, log keystrokes, destroy system restore points, and even encrypt data using ransomware. There are also indications that an Android version is in the works.

“While generating a payload using Silver RAT’s builder, threat actors can select various options with a payload size up to a maximum of 50kb,” the company noted. “Once connected, the victim appears on the attacker-controlled Silver RAT panel, which displays the logs from the victim based on the functionalities chosen.”

An interesting evasion feature built into Silver RAT is its ability to delay the execution of the payload by a specific time as well as covertly launch apps and take control of the compromised host.

Further analysis of the malware author’s online footprint shows that one of the members of the group is likely in their mid-20s and based in Damascus.

“The developer […] appears supportive of Palestine based on their Telegram posts, and members associated with this group are active across various arenas, including social media, development platforms, underground forums, and Clearnet websites, suggesting their involvement in distributing various malware,” Cyfirma said.

Dec 29, 2023NewsroomEmail Security / Malware

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to deploy previously undocumented malware such as OCEANMAP, MASEPIE, and STEELHOOK to harvest sensitive information.

The activity, which was detected by the agency between December 15 and 25, 2023, targets government entities with email messages urging recipients to click on a link to view a document.

However, to the contrary, the links redirect to malicious web resources that abuse JavaScript and the “search-ms:” URI protocol handler to drop a Windows shortcut file (LNK) that launches PowerShell commands to activate an infection chain for a new malware known as MASEPIE.

MASEPIE is a Python-based tool to download/upload files and execute commands, with communications with the command-and-control (C2) server taking place over an encrypted channel using the TCP protocol.

The attacks further pave the way for the deployment of additional malware, including a PowerShell script called STEELHOOK that’s capable of harvesting web browser data and exporting it to an actor-controlled server in Base64-encoded format.

Also delivered is a C#-based backdoor dubbed OCEANMAP that’s designed to execute commands using cmd.exe.

“The IMAP protocol is used as a control channel,” CERT-UA said, adding persistence is achieved by creating a URL file named “VMSearch.url” in the Windows Startup folder.

“Commands, in Base64-encoded form, are contained in the ‘Drafts’ of the corresponding email directories; each of the drafts contains the name of the computer, the name of the user and the version of the OS. The results of the commands are stored in the inbox directory.”

The agency further pointed out that reconnaissance and lateral movement activities are carried out within an hour of the initial compromise by taking advantage of tools like Impacket and SMBExec.

The disclosure comes weeks after IBM X-Force revealed APT28’s use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace.

In recent weeks, the prolific Kremlin-backed hacking group has also been attributed to the exploitation of a now-patched critical security flaw in its Outlook email service (CVE-2023-23397, CVSS score: 9.8) to gain unauthorized access to victims’ accounts within Exchange servers.

Dec 19, 2023NewsroomMalvertising / Browser Security

The malware loader known as PikaBot is being distributed as part of a malvertising campaign targeting users searching for legitimate software like AnyDesk.

“PikaBot was previously only distributed via malspam campaigns similarly to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577,” Malwarebytes’ Jérôme Segura said.

The malware family, which first appeared in early 2023, consists of a loader and a core module that allows it to operate as a backdoor as well as a distributor for other payloads.

This enables the threat actors to gain unauthorized remote access to compromised systems and transmit commands from a command-and-control (C2) server, ranging from arbitrary shellcode, DLLs, or executable files, to other malicious tools such as Cobalt Strike.

One of the threat actors leveraging PikaBot in its attacks is TA577, a prolific cybercrime threat actor that has, in the past, delivered QakBot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.

Last month, it emerged that PikaBot, along with DarkGate, is being propagated via malspam campaigns mirror that of QakBot. “Pikabot infection led to Cobalt Strike on 207.246.99[.]159:443 using masterunis[.]net as its domain,” Palo Alto Networks Unit 42 disclosed recently.

The latest initial infection vector is a malicious Google ad for AnyDesk that, when clicked by a victim from the search results page, redirects to a fake website named anadesky.ovmv[.]net that points to a malicious MSI installer hosted on Dropbox.

It’s worth pointing out that the redirection to the bogus website only occurs after fingerprinting the request, and only if it’s not originating from a virtual machine.

“The threat actors are bypassing Google’s security checks with a tracking URL via a legitimate marketing platform to redirect to their custom domain behind Cloudflare,” Segura explained. “At this point, only clean IP addresses are forwarded to the next step.”

Interestingly, a second round of fingerprinting takes place when the victim clicks on the download button on the website, likely in an added attempt to ensure that it’s not accessible in a virtualized environment.

Malwarebytes said the attacks are reminiscent of previously identified malvertising chains employed to disseminate another loader malware known as FakeBat (aka EugenLoader).

“This is particularly interesting because it points towards a common process used by different threat actors,” Segura said. “Perhaps, this is something akin to ‘malvertising-as-a-service’ where Google ads and decoy pages are provided to malware distributors.”

The disclosure comes as the cybersecurity company said it detected a spike in malicious ads through Google searches for popular software like Zoom, Advanced IP Scanner, and WinSCP to deliver a previously never-before-seen loader called HiroshimaNukes as well as FakeBat.

“[HiroshimaNukes] uses several techniques to bypass detection from DLL side-loading to very large payloads,” Segura said. “Its goal is to drop additional malware, typically a stealer followed by data exfiltration.”

The rise in malvertising is indicative of how browser-based attacks act as channels for infiltrating target networks. This also includes a new Google Chrome extension framework codenamed ParaSiteSnatcher, which allows threat actors to “monitor, manipulate, and exfiltrate highly sensitive information from multiple sources.”

Specifically designed to compromise users in Latin America, the rogue extension is noteworthy for its use of the Chrome Browser API to intercept and exfiltrate all POST requests containing sensitive account and financial information. It’s downloaded through a VBScript downloader hosted on Dropbox and Google Cloud and installed onto an infected system.

“Once installed, the extension manifests with the help of extensive permissions enabled through the Chrome extension, allowing it to manipulate web sessions, web requests, and track user interactions across multiple tabs using the Chrome tabs API,” Trend Micro said last month.

“The malware includes various components that facilitate its operation, content scripts that enable malicious code injection into web pages, monitor Chrome tabs, and intercept user input and web browser communication.”