Pikabot Malware Resurgence in February 2024

Overview

Pikabot, a sophisticated loader malware, has resurfaced with significant activity detected in February 2024. It first gained attention in early 2023 and has shown a pattern of evolution and adaptation, leveraging various distribution methods to infiltrate systems. Pikabot's capabilities include unauthorized remote access and execution of arbitrary commands via its command-and-control (C&C) server.

Indicators of Compromise (IoCs)

The ThreatFox database has documented 1,054 IoCs associated with Pikabot up to February 14, 2024. These IoCs provide crucial insights into the malware's distribution and infection mechanisms​​. https://threatfox.abuse.ch/browse/malware/win.pikabot/

The most active IoCs in 2024 are:

Domains:

• brookselectrics[.]com
• gardenplaid[.]com
• gibbselectrics[.]com
• gloverstech[.]com
• investechnical[.]com
• keywordslive[.]com

IP Addresses:

• 103[.]82[.]243[.]5
• 104[.]129[.]55[.]103
• 104[.]129[.]55[.]104
• 104[.]129[.]55[.]105
• 104[.]129[.]55[.]106
• 104[.]156[.]233[.]235
• 108[.]61[.]78[.]17
• 109[.]123[.]227[.]104
• 131[.]153[.]231[.]178
• 139[.]84[.]237[.]229
• 154[.]201[.]81[.]8
• 155[.]138[.]147[.]62
• 158[.]220[.]80[.]157
• 158[.]220[.]80[.]167
• 172[.]232[.]162[.]97
• 172[.]232[.]189[.]10
• 172[.]232[.]189[.]219
• 178[.]18[.]246[.]136
• 192[.]248[.]174[.]52
• 198[.]44[.]187[.]12
• 23[.]226[.]138[.]143
• 23[.]226[.]138[.]161
• 37[.]60[.]242[.]85
• 37[.]60[.]242[.]86
• 43[.]229[.]78[.]74
• 45[.]32[.]21[.]184
• 45[.]32[.]248[.]100
• 45[.]76[.]251[.]190
• 65[.]20[.]66[.]218
• 78[.]47[.]233[.]121
• 85[.]239[.]243[.]155
• 86[.]38[.]225[.]105
• 86[.]38[.]225[.]106
• 86[.]38[.]225[.]108
• 86[.]38[.]225[.]109
• 95[.]179[.]135[.]3
• 95[.]179[.]191[.]137

URLs:

• hxxps://allstocksinc[.]com/YDr/1337[.]dat
• hxxps://berringtonnews[.]com/0bvKZ/0[.]16410464051883017[.]dat
• hxxps://finderunion[.]com/CVv/0[.]7619553765651503[.]dat
• hxxps://gloverstech[.]com/tJWz9/
• hxxps://muellerinfo[.]com/vnO/1337[.]dat
• hxxps://musicclubcompany[.]com/zmd/0[.]015044926305028627[.]dat
• hxxps://professionalficars[.]com/t6F5Gi/1337[.]dat
• hxxps://toptrinityblog[.]com/VUIhcGp/1337[.]dat
• hxxps://wealthygradi[.]com/tS5/1337[.]dat

Distribution Methods and Infection Vectors:

• Malicious Search Ads and Malspam: Pikabot has been distributed via malicious search ads targeting software like AnyDesk and through malspam campaigns. These campaigns utilize email thread hijacking, where malicious actors insert themselves into existing email threads to distribute Pikabot via attachments or links​​.
• PDF Lures and Windows Installer Files: Pikabot infections have been initiated through PDF documents that trick users into downloading malicious files, as well as through Windows installer files (.msi) that execute the malware payload​​.
• Phishing Emails and .HTA Files: The malware also employs phishing emails with HTML smuggling and .HTA files, delivering the payload in various deceptive formats​​.

Malicious Domains and Payloads:

• Specific IoCs identified include malicious domains such as anadesky[.]ovmv[.]net and cxtensones[.]top, along with Dropbox URLs hosting installer payloads. These domains and URLs play a critical role in the malware's distribution and execution​​.

Mitigation and Protection Strategies

To defend against Pikabot and similar threats, it is recommended to:

• Block known malicious domains and IP addresses associated with Pikabot at the network perimeter.
• Implement strict email filtering rules to detect and quarantine phishing attempts and suspicious attachments.
• Educate users on the risks of opening attachments or clicking on links from unknown or untrusted sources, especially in unsolicited emails.
• Keep all systems and software updated to protect against known vulnerabilities that could be exploited by malware.

Conclusion

Pikabot's resurgence underscores the importance of continuous vigilance and adaptive security measures. By understanding its distribution methods and IoCs, organizations can better protect themselves from this evolving threat. Regularly updating IoC databases and implementing comprehensive security protocols are vital steps in mitigating the impact of such sophisticated malware campaigns.

References

The Hacker News: https://thehackernews.com/2024/02/pikabot-resurfaces-with-streamlined.html

Malwarebytes: https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads

Zscaler: https://www.zscaler.com/blogs/security-research/d-evolution-pikabot