March 11, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Advisory – Multiple Fortinet FortiManager and FortiAnalyzer Vulnerabilities
November 1, 2023Rewterz Threat Update – Hive Ransomware Possibly Rebranded as the New Hunters International Ransomware
November 2, 2023Rewterz Threat Advisory – Multiple Fortinet FortiManager and FortiAnalyzer Vulnerabilities
November 1, 2023Rewterz Threat Update – Hive Ransomware Possibly Rebranded as the New Hunters International Ransomware
November 2, 2023
Severity
Medium
Analysis Summary
PikaBot is a sophisticated and highly evasive malware that targets Windows operating systems. This malware exhibits a range of malicious behaviors, including data exfiltration, remote command execution, and system persistence. It poses a significant threat to both individual users and organizations. PikaBot is classified as a Trojan malware, specifically a Remote Access Trojan (RAT). It enables unauthorized remote access to infected systems, allowing threat actors to gain control over the compromised machine. PikaBot is primarily distributed through phishing emails, malicious attachments, or compromised websites. Once executed, it employs various techniques, such as exploiting software vulnerabilities and social engineering, to infect target systems.
This malware ensures its persistence on infected machines through multiple means. It modifies registry entries, creates autorun entries, and establishes hidden services or scheduled tasks. These techniques enable the malware to maintain its presence across system reboots.
PikaBot establishes communication with its command and control server using various methods, including HTTP, DNS, or even legitimate service protocols. It utilizes encryption and obfuscation techniques to evade detection and hide its malicious activities. It is designed to steal sensitive information from infected systems. It can capture keystrokes, take screenshots, record audio, and collect stored credentials. The stolen data is typically transmitted to the attacker-controlled servers for further exploitation or monetization.
Impact
- Unauthorized Access
- Financial Theft
- Information Theft
Indicators of Compromise
IP
- 15.235.47.80
- 51.195.232.97
MD5
- a69497f59574c97e4d5a6f621ab32d98
- 17ffeb3b190b89aeb084d01e2f4e0695
- b2a7a96f201d5e53f0f2644360da5489
- 8e2e739c4d82679045abc9913b67d306
- ab24d779475992266e657c048294944f
SHA-256
- ed8841b63c1aadb5387eef2b4b22f9386e838324094da66d5141838757cd532d
- 4a5f4738220a209e57735b23b1e7212346710a5301ae7da88cd58417e2bcab0b
- 93907bf6f7e6eb636875cdc82225b3ca0c6abc09ece7d28009c59455c67a4208
- 6a5c52a0506c17e85b2e86dcaecb33f9d4464fb8ff3ea27b4e1801bd7d6eb12b
- a9c49ae83be5c3148dc8532b72cbabe232ff1efe3514f5b674510de2a0537282
SHA-1
- bc2b624b7060d35d7f4602b86073bf9e64f5b544
- 6dc8a2ddeef704f10e0a65daa05fe475047aebee
- bee6e6312a653502f44d1c24f0ef02b7bc7d1117
- 5902e8d5e9c5a31e5198fec86a1070cb413add2b
- 42816a86c1876cf438d41ec0c028c0706edc581b
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets.