PikaBot has reared its ugly head

Feb 14 2024

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that can’t wait until cybercrime is sooooo last season #NewYorkFashionWeek ????????????????????

Today’s hottest cybersecurity news stories:

  • ???? PikaBot has reared its ugly head again with new code, tactics ♟️

  • ???? Glupteba botnet uses mysterious UEFI bootkit to hide in plaintext ????

  • ???? Bumblebee malware is once again a buzzing hive of cyber activity ????

Phew, the coast is clear… PikaBOT!!! ????????????




???? PikaBot Malware: Devolution Detected ????

The PikaBot malware, first spotted in May 2023, has undergone significant changes, described as a “devolution” by Zscaler ThreatLabz researcher Nikolaos Pantazopoulos. ????️

In a recent analysis, researchers found that PikaBot’s latest version (1.18.32) has simplified its code and network communications. This includes dropping advanced obfuscation techniques and opting for simpler encryption algorithms. ????️‍♂️

Notably, PikaBot now stores its entire bot configuration in plaintext, a departure from previous encryption methods. Additionally, modifications to its command-and-control (C2) server communications were observed. ????

Despite recent inactivity, PikaBot remains a potent cyber threat, evolving constantly. However, developers seem to be favouring a less complex approach, removing advanced obfuscation features. ????

This development coincides with warnings about an ongoing cloud account takeover (ATO) campaign targeting Microsoft Azure environments, compromising hundreds of user accounts. ????

As cyber threats evolve, vigilance and proactive security measures are crucial to safeguarding against emerging risks. Stay updated and stay safe! ????️????


Signup for Free


Learn AI in 5 minutes a day. We’ll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

UEFI Bootkit: These aren’t the bots you’re looking for ????‍????????

???? Glupteba Botnet: Adding UEFI Bootkit for Stealth ????

Recent analysis by Palo Alto Networks Unit 42 researchers uncovered a new twist in the Glupteba botnet saga: the integration of an undocumented Unified Extensible Firmware Interface (UEFI) bootkit feature. ????️

This bootkit grants Glupteba the ability to control the operating system boot process, making detection and removal incredibly challenging. It enhances the malware’s persistence and stealth capabilities, further complicating defence efforts. ????️‍♂️

Glupteba is already a formidable threat, functioning as an information stealer, backdoor, and cryptocurrency miner. ⛏️ It leverages the Bitcoin blockchain for resilient command-and-control (C2) operations, making it difficult to dismantle. ????????

Notably, Glupteba’s distribution involves complex infection chains, often starting with PrivateLoader or SmokeLoader infections that pave the way for subsequent malware families, ultimately leading to Glupteba. ????

This sophisticated malware ecosystem has evolved over the years, with Glupteba now incorporating a UEFI bootkit to disable security features like PatchGuard and Driver Signature Enforcement (DSE) during boot-up. ????

The researchers emphasised the malware’s adaptability and innovation, highlighting its role in mass infections and collaboration within the cybercriminal ecosystem. Glupteba continues to pose a significant threat, showcasing the evolving landscape of modern cybercrime. ????????

???? Catch of the Day!! ????????????

???? The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can’t get fooled again.” Good ol’ George Dubya ???? Let us tell who’s not fooling around though; that’s the Crüe ???? at Motley Fool. You’d be a fool (alright, enough already! ????) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ???? Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ???? (LINK)

???? Wander: Find your happy place. Cue Happy Gilmore flashback ????️⛳????????️ Mmmm Happy Place… ???? So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ????️???? (LINK)

???? Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts ???????? (Great movie, to be fair ????). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty ????). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho ???? And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ???? (LINK)

Hackers be like float like a butterfly, sting like a Bumblebee ????

???? Bumblebee Malware Buzzes Back with Fresh Tactics ????

After a four-month hiatus, Bumblebee malware has reappeared on the cyber threat landscape, sporting a revamped attack chain, according to recent findings. ????

The latest campaign, observed in February 2024, showcases a “significantly different” modus operandi compared to previous infiltrations, coinciding with the return of notorious threat actors following a winter lull. ❄️

Bumblebee, a sophisticated downloader, serves as an initial access broker, facilitating the download and execution of payloads like Cobalt Strike, shellcode, Sliver, and Meterpreter. ????

Throughout March 2022 to October 2023, a whopping 230 Bumblebee campaigns were documented, with threat actors leveraging creative distribution methods, including trojanizing popular software tools like Zoom and Cisco AnyConnect. ????

In this latest iteration, social engineering tactics take centre stage, with attackers enticing victims to download Bumblebee via emails spoofed from consumer electronics firm Humane. ????

The bait? A voicemail-themed lure embedded with OneDrive URLs leading to Word documents containing VBA macro-enabled scripts. ????

Once executed, the script triggers a PowerShell command fetching the next stage of the attack from a remote server, ultimately leading to the deployment of the Bumblebee DLL. ????

What’s noteworthy is the resurgence of VBA macro-enabled documents in the attack chain, a deviation from recent trends observed. ????

While the campaign remains unattributed, similarities in techniques suggest a possible connection to the TA579 group. Other tracked threat actors, like TA577, have also resumed activities, signalling a return to high operational tempo in 2024.

As cybercriminals ramp up their efforts, we anticipate a continuation of these trends, urging heightened vigilance and proactive defence measures in the face of evolving threats. ????️????

Stay safe out there, folks!

????️ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran ‘Wealthy Primate’ might be able to help you climb that tree ???????? with his stick and banana approach ????????

  • Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles