Pushdo

Pushdo is a type of malware that has been associated with various cyber attacks and malicious activities. First recognized in 2013, Pushdo was identified as the most widespread "bad bot," infecting over 4.2 million IPs including those of private companies, government agencies, and military networks. Its primary function was to distribute spam and spread malicious Trojans, similar to early 2000s bots. It is also known for its connection with the Cutwail botnet, a network of infected computers used to send out spam emails or engage in other forms of cybercrime. Throughout the years, Pushdo has been utilized alongside different types of malware and tools frequently linked with ITG23-related attacks. Notably, in the past year, it has been used with Forest, a tool associated with several malware variants such as Bumblebee, IcedID, CobaltStrike, Qakbot, and Pikabot. This suggests a close relationship between these actors. In addition, Pushdo has also been deployed with Gozi loaders distributed by the Cutwail botnet, further solidifying its connection to this notorious network. In 2023, an interesting development was observed where Pushdo was used in conjunction with Dave and Forest crypters. A crypter is a software tool that can encrypt, obfuscate, and manipulate malware, to make it harder to detect or reverse engineer. Furthermore, a custom crypter was discovered being used with both TrickLoader and Vawtrak, along with Pushdo and Cutwail malware. This highlights the evolving sophistication of these malicious tools and their ability to adapt and integrate with each other to increase their effectiveness and evade detection.