1. Home
  2. Software
  3. Pikabot

Pikabot

Pikabot is a backdoor used for initial access and follow-on tool deployment active since early 2023. Pikabot is notable for extensive use of multiple encoding, encryption, and defense evasion mechanisms to evade defenses and avoid analysis. Pikabot has some overlaps with QakBot, but insufficient evidence exists to definitively link these two malware families. Pikabot is frequently used to deploy follow on tools such as Cobalt Strike or ransomware variants.[1][2][3]

ID: S1145
Type: MALWARE
Platforms: Windows
Contributors: Inna Danilevich, U.S. Bank
Version: 1.0
Created: 12 July 2024
Last Modified: 28 October 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Earlier Pikabot variants use a custom encryption procedure leveraging multiple mechanisms including AES with multiple rounds of Base64 encoding for its command and control communication.[1] Later Pikabot variants eliminate the use of AES and instead use RC4 encryption for transmitted information.[2]
Enterprise T1620 反射性代码加载

Pikabot reflectively loads stored, previously encrypted components of the PE file into memory of the currently executing process to avoid writing content to disk on the executing machine.[2]
Enterprise T1140 反混淆/解码文件或信息

Pikabot decrypts command and control URIs using ADVobfuscator, and decrypts IP addresses and port numbers with a custom algorithm.[1] Other versions of Pikabot decode chunks of stored stage 2 payload content in the initial payload .text section before consolidating them for further execution.[2] Overall LunarMail is associated with multiple encoding and encryption mechanisms to obfuscate the malware's presence and avoid analysis or detection.[3]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Pikabot maintains persistence following system checks through the Run key in the registry.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Pikabot can execute Windows shell commands via cmd.exe.[1]
Enterprise T1482 域信任发现

Pikabot will gather information concerning the Windows Domain the victim machine is a member of during execution.[2]
Enterprise T1480 .001 执行保护: Environmental Keying

Pikabot stops execution if the infected system language matches one of several languages, with various versions referencing: Georgian, Kazakh, Uzbek, Tajik, Russian, Ukrainian, Belarussian, and Slovenian.[1][2]
Enterprise T1132 .001 数据编码: Standard Encoding

Pikabot uses base64 encoding in conjunction with symmetric encryption mechanisms to obfuscate command and control communications.[1][2]
Enterprise T1106 本机API

Pikabot uses native Windows APIs to determine if the process is being debugged and analyzed, such as CheckRemoteDebuggerPresent, NtQueryInformationProcess, ProcessDebugPort, and ProcessDebugFlags.[1] Other Pikabot variants populate a global list of Windows API addresses from the NTDLL and KERNEL32 libraries, and references these items instead of calling the API items to obfuscate execution.[2]
Enterprise T1027 .003 混淆文件或信息: Steganography

Pikabot loads a set of PNG images stored in the malware's resources section (RCDATA), each with an encrypted section containing portions of the core Pikabot core module. These sections are loaded and decrypted using a bitwise XOR operation with a hardcoded 32 bit key.[1]
.009 混淆文件或信息: Embedded Payloads

Pikabot further decrypts information embedded via steganography using AES-CBC with the same 32 bit key as initial XOR operations combined with the first 16 bytes of the encrypted data as an initialization vector.[1] Other Pikabot variants include encrypted, chunked sections of the stage 2 payload in the initial loader .text section before decrypting and assembling these during execution.[2]
.011 混淆文件或信息: Fileless Storage

Some versions of Pikabot build the final PE payload in memory to avoid writing contents to disk on the executing machine.[2]
Enterprise T1082 系统信息发现

Pikabot performs a variety of system checks and gathers system information, including commands such as whoami.[1][2]
Enterprise T1016 系统网络配置发现

Pikabot gathers victim network information through commands such as ipconfig and ipconfig /all.[1]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

Pikabot performs a variety of system checks to determine if it is running in an analysis environment or sandbox, such as checking the number of processors (must be greater than two), and the amount of RAM (must be greater than 2GB).[2]
Enterprise T1622 调试器规避

Pikabot features several methods to evade debugging by analysts, including checks for active debuggers, the use of breakpoints during execution, and checking various system information items such as system memory and the number of processors.[1][2][3]
Enterprise T1087 .001 账号发现: Local Account

Pikabot will retrieve the name of the user associated with the thread under which the malware is executing.[2]
Enterprise T1055 .002 进程注入: Portable Executable Injection

Pikabot, following payload decryption, creates a process hard-coded into the dropped (e.g., WerFault.exe) and injects the decrypted core modules into it.[1]
.003 进程注入: Thread Execution Hijacking

Pikabot can create a suspended instance of a legitimate process (e.g., ctfmon.exe), allocate memory within the suspended process corresponding to Pikabot's core module, then redirect execution flow via SetContextThread API so that when the thread resumes the Pikabot core module is executed.[2]
Enterprise T1041 通过C2信道渗出

During the initial Pikabot command and control check-in, Pikabot will transmit collected system information encrypted using RC4.[2]
Enterprise T1571 非标准端口

Pikabot uses non-standard ports, such as 2967, 2223, and others, for HTTPS command and control communication.[2]

Groups That Use This Software

ID Name References
G1037 TA577

[4]

Campaigns

ID Name Description
C0036 Pikabot Distribution February 2024

Pikabot Distribution February 2024 distributed Pikabot for initial access purposes in February 2024.[2][5]
C0037 Water Curupira Pikabot Distribution

Water Curupira Pikabot Distribution distributed Pikabot as an initial access mechanism.[6]

References

  1. Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024.
  2. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  3. Swachchhanda Shrawan Poudel. (2024, February). Pikabot: 
 A Sophisticated and Modular Backdoor Trojan with Advanced Evasion Techniques. Retrieved July 12, 2024.
  1. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  2. Nikolaos Pantazopoulos. (2024, February 12). The (D)Evolution of Pikabot. Retrieved July 17, 2024.
  3. Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024.