Pikabot is a new malware trojan that emerged in early 2023 that consists of two components: a loader and a core module. The core module implements the malicious functionality that includes the ability to execute arbitrary commands and inject payloads that are provided by a command-and-control server. Pikabot utilizes a code injector to decrypt and inject the core module.
The core module and its injector use a series of anti-analysis tests and then decrypt and inject the core module payload. If any of these tests fail, Pikabot will terminate execution. In addition, they use the public tool ADVobfuscator for string obfuscation. Similar to the injector, the Pikabot core module performs additional anti-analysis checks.
Pikabot stops execution if the system's language is any of the following: Georgian (Georgia), Kazakh (Kazakhstan), Uzbek (Cyrillic), Tajik (Tajikistan), Russian (Russia), Ukrainian (Ukraine), Belarusian (Belarus), Slovenian (Slovenia).
Pikabot shares similarities with the Qakbot trojan including the distribution methods, campaigns, and malware behaviors.
Pikabot is distributed via phishing campaigns that use email thread hijacking. Attackers intercept legitimate email conversations to add malicious attachments or links, to make the user more likely to engage. These emails have ZIP attachments with embedded JavaScript files that when executed download and install Pikabot.
Anti-Analysis Techniques
Pikabot has various anti-analysis measures to avoid detection. It checks for debuggers, breakpoints and system information like memory and processor count. It uses ADVobfuscator for string obfuscation and methods to detect sandbox environments. If any of these checks fail Pikabot terminates its execution making it hard for security researchers to analyze.
Similarities to Qakbot
Pikabot has similarities with the dismantled Qakbot trojan. Both use email thread hijacking for distribution, have the same URL patterns and almost the same infection chain and loader capabilities. This is because Pikabot is probably filling the gap left by Qakbot takedown and is using the same tactics to compromise systems.
Implement robust email filtering to detect and block phishing attempts.
Educate employees about the dangers of opening unsolicited attachments or clicking unknown links.
Utilize advanced endpoint protection solutions to detect and prevent malware execution.
Regularly update and patch software to address known vulnerabilities.