Pushdo

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Pushdo is a type of malware that has been associated with various cyber attacks and malicious activities. First recognized in 2013, Pushdo was identified as the most widespread "bad bot," infecting over 4.2 million IPs including those of private companies, government agencies, and military networks. Its primary function was to distribute spam and spread malicious Trojans, similar to early 2000s bots. It is also known for its connection with the Cutwail botnet, a network of infected computers used to send out spam emails or engage in other forms of cybercrime. Throughout the years, Pushdo has been utilized alongside different types of malware and tools frequently linked with ITG23-related attacks. Notably, in the past year, it has been used with Forest, a tool associated with several malware variants such as Bumblebee, IcedID, CobaltStrike, Qakbot, and Pikabot. This suggests a close relationship between these actors. In addition, Pushdo has also been deployed with Gozi loaders distributed by the Cutwail botnet, further solidifying its connection to this notorious network. In 2023, an interesting development was observed where Pushdo was used in conjunction with Dave and Forest crypters. A crypter is a software tool that can encrypt, obfuscate, and manipulate malware, to make it harder to detect or reverse engineer. Furthermore, a custom crypter was discovered being used with both TrickLoader and Vawtrak, along with Pushdo and Cutwail malware. This highlights the evolving sophistication of these malicious tools and their ability to adapt and integrate with each other to increase their effectiveness and evade detection.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Cutwail
2
Cutwail is a notorious malware that has been associated with various botnets, including Necurs, Andromeda, and Dridex, at different stages of their lifecycle. It has been implicated in the distribution of malicious payloads such as IcedID, Gozi, and Pushdo, often using crypters like Hexa, Forest, Sn
Forest
1
Forest is a potent malware that leverages the Golden Ticket, an authentication ticket (TGT), to gain domain-wide access. It exploits the TGT to acquire service tickets (TGS) used for accessing resources across the entire domain and the Active Directory (AD) forest by leveraging SID History. The malw
Blackbasta
1
BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho
Trickloader
1
TrickLoader is a malicious software (malware) that exploits and damages computer systems, often infiltrating through suspicious downloads, emails, or websites. It is designed to steal personal information, disrupt operations, or hold data hostage for ransom. Upon initial inspection of TrickLoader, i
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Botnet
Malware
Domains
Ransomware
Crypter
Spam
Bot
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BumblebeeUnspecified
1
Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The sam
GoziUnspecified
1
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
CobaltstrikeUnspecified
1
CobaltStrike is a notorious form of malware that has been used in conjunction with other malicious software including IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. This malware is typically delivered through suspicious downloads, emails, or websites, ofte
PikabotUnspecified
1
PikaBot is a harmful malware that emerged in 2023, designed to exploit and damage computer systems. It infiltrates systems through dubious downloads, emails, or websites, often undetected by the user. Once inside a system, PikaBot can pilfer personal information, disrupt operations, or even ransom d
QakBotUnspecified
1
Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
IcedIDUnspecified
1
IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Pushdo Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Bad bots are growing in volume and sophistication – here’s what to do about it
MITRE
a year ago
TrickBot: We Missed you, Dyre
SecurityIntelligence.com
a year ago
The Trickbot/Conti Crypters: Where Are They Now?