Home / Industry

A Peek at the PikaBot Infrastructure

It is not uncommon these days for threat actors to use malicious search ads to distribute malware. To do that, though, they would need to know how to bypass Google’s security measures by setting up decoy infrastructures.

PikaBot is one such malware that started gaining renown in early 2023. Malwarebytes Labs researchers conducted an in-depth analysis of the threat and published 11 indicators of compromise (IoCs)—two domains and nine IP addresses—in the process.

In a bid to make the Internet safer and more transparent, the WhoisXML API research team expanded the list of IoCs and found hundreds of potentially connected artifacts, namely:

  • 112 email-connected domains
  • Three additional IP addresses to which some domain IoCs resolved, two of which turned out to be malicious
  • 210 IP-connected domains, three of which have been tagged as malicious
  • 14 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Quick Look at the PikaBot IoCs

As a first step, we looked at the two domains identified as IoCs via WHOIS lookups, which revealed that:

  • They were administered by different registrars—cxtensones[.]top by NiceNIC International Group Co. Ltd. and ovmv[.]net by Hosting Concepts B.V.
  • Both domains were created in December 2023, making them newly registered when they were used for attacks.
  • The IoC cxtensones[.]top indicated the U.S. as its registrant country while ovmv[.]net was supposedly registered in the Netherlands.

A bulk IP geolocation lookup, meanwhile, for the nine IP addresses tagged as IoCs showed that:

  • Three IP addresses each appeared to be geolocated in France and the U.S. One IoC each pointed to Australia, Germany, and the U.K. as their origins.
  • They were split between two Internet service providers (ISPs)—six for OVH and three for Akamai Technologies, Inc.

Threat Intelligence API searches for the IoCs also revealed interesting tidbits as detailed in the table below.

IoCNUMBER OF ASSOCIATED THREATSASSOCIATED THREAT TYPEDATE FIRST SEEN
139[.]99[.]222[.]291Malware15 December 2023
172[.]232[.]162[.]1984Attack
Botnet
C2
Malware
14 December 2023
172[.]232[.]164[.]774Attack
Botnet
C2
Malware
13 December 2023
172[.]232[.]186[.]2514Attack
Botnet
C2
Malware
14 December 2023
54[.]37[.]79[.]824Attack
Botnet
C2
Malware
15 December 2023
57[.]128[.]108[.]1324Attack
Botnet
C2
Malware
14 December 2023
57[.]128[.]109[.]2214Attack
Botnet
C2
Malware
15 December 2023
57[.]128[.]164[.]114Attack
Botnet
C2
Malware
14 December 2023
57[.]128[.]83[.]1294Attack
Botnet
C2
Malware
14 December 2023

On the Flip Side of the PikaBot Campaign

To uncover other possibly related PikaBot artifacts, we began by subjecting the two domains identified as IoCs to WHOIS history lookups, which revealed that one of them—ovmv[.]net—had four email addresses in their historical WHOIS records. Three of them were public email addresses.

Reverse WHOIS API queries using two of the three public email addresses as search terms led to the discovery of 112 domains after duplicates and the IoCs were removed, almost all of which were either Chinese-sounding or composed of random number combinations. Examples include:

  • 1869666[.]net
  • 240690[.]com
  • 242302[.]com
  • 354374[.]com
  • 375324[.]com
  • dalianchu[.]com
  • didichihuo[.]com
  • duolianchu[.]com
  • fulianchu[.]com
  • hangtianyun[.]com

Next, we performed DNS lookups on the two domains identified as IoCs and found three IP addresses that are not part of the original IoC list.

IP geolocation lookups for the three additional IP addresses revealed that:

  • Each one was geolocated in a different country—Brazil, Switzerland, and the U.S.
  • Two—104[.]21[.]72[.]66 and 172[.]67[.]176[.]15—were associated with various threats based on the built-in Threat Intelligence API engine. In addition, both IP addresses were flagged for phishing and generic threats from 23 May 2023 to the current date.

We now had 12 IP addresses in total to work with—nine identified as IoCs and the three additional resolutions. Reverse IP lookups showed that three of them could be dedicated hosts. The potentially dedicated IP addresses hosted 210 other domains that were not yet part of the original IoC list nor email-connected.

Threat Intelligence API revealed that three of them—fakty-info[.]com, twinsources[.]shop, and txid-coinbase[.]net—were associated with various threats. Take a look at the details in the table below.

IP-CONNECTED DOMAINNUMBER OF ASSOCIATED THREATSASSOCIATED THREAT TYPE
fakty-info[.]com2Phishing
Generic
twinsources[.]shop1Malware
txid-coinbase[.]net1Phishing

To fill in possible gaps, we then sought to uncover other potentially connected domains via text string usage. We used Domains & Subdomains Discovery to find domains containing the string ovmv. using the Starts with parameter. We discovered 14 string-connected domains, all of which looked exactly as the IoC ovmv[.]net albeit using different top-level domain (TLD) extensions.

WHOIS comparisons with the domain ovmv[.]net, however, showed that none of them seemingly bore similarities with the IoC.


Our DNS deep dive into the PikaBot infrastructure allowed us to identify 339 possibly connected artifacts comprising 112 email-connected domains, three additional IP addresses, 210 IP-connected domains, and 14 string-connected domains. Additionally, our analysis enabled us to uncover five malicious web properties—two IP addresses (104[.]21[.]72[.]66 and 172[.]67[.]176[.]15) and three domains (fakty-info[.]com, twinsources[.]shop, and txid-coinbase[.]net).

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign