Pikabot

Pikabot is a new malware trojan that emerged in early 2023 that consists of two components: a loader and a core module. The core module implements the malicious functionality that includes the ability to execute arbitrary commands and inject payloads that are provided by a command-and-control server. Pikabot utilizes a code injector to decrypt and inject the core module.

The core module and its injector use a series of anti-analysis tests and then decrypt and inject the core module payload. If any of these tests fail, Pikabot will terminate execution. In addition, they use the public tool ADVobfuscator for string obfuscation. Similar to the injector, the Pikabot core module performs additional anti-analysis checks.

Pikabot stops execution if the system's language is any of the following: Georgian (Georgia), Kazakh (Kazakhstan), Uzbek (Cyrillic), Tajik (Tajikistan), Russian (Russia), Ukrainian (Ukraine), Belarusian (Belarus), Slovenian (Slovenia).
Pikabot shares similarities with the Qakbot trojan including the distribution methods, campaigns, and malware behaviors.

Key Insights

Pikabot is distributed via phishing campaigns that use email thread hijacking. Attackers intercept legitimate email conversations to add malicious attachments or links, to make the user more likely to engage. These emails have ZIP attachments with embedded JavaScript files that when executed download and install Pikabot.

Anti-Analysis Techniques

Pikabot has various anti-analysis measures to avoid detection. It checks for debuggers, breakpoints and system information like memory and processor count. It uses ADVobfuscator for string obfuscation and methods to detect sandbox environments. If any of these checks fail Pikabot terminates its execution making it hard for security researchers to analyze.

Similarities to Qakbot

Pikabot has similarities with the dismantled Qakbot trojan. Both use email thread hijacking for distribution, have the same URL patterns and almost the same infection chain and loader capabilities. This is because Pikabot is probably filling the gap left by Qakbot takedown and is using the same tactics to compromise systems.

Known Variants

As of now there are no specific named variants of Pikabot. But it’s under development and evolving so new versions may appear over time.

Mitigation Strategies

Implement robust email filtering to detect and block phishing attempts.
Educate employees about the dangers of opening unsolicited attachments or clicking unknown links.
Utilize advanced endpoint protection solutions to detect and prevent malware execution.
Regularly update and patch software to address known vulnerabilities.

Targeted Industries or Sectors

Pikabot targets a wide range of sectors including finance, healthcare and manufacturing. Its operators want to maximize impact by compromising different industries, often leading to ransomware attacks or data theft.

Associated Threat Actors

The threat actor TA577 also known as Water Curupira is actively distributing Pikabot. This group is financially motivated and has been associated with Qakbot distribution. Their campaigns often lead to Black Basta ransomware.