eBook

Modern Threat Hunting

Modern Threat Hunting

10 Practical Steps to Outsmart Adversaries

10 Practical Steps to Outsmart Adversaries

A Hands-On Guide Using Hunt.io’s Threat Intelligence Platform

Get the Free eBook

Get the Free eBook

Pikabot

Pikabot

Pikabot

Pikabot is a new malware trojan that emerged in early 2023 that consists of two components: a loader and a core module. The core module implements the malicious functionality that includes the ability to execute arbitrary commands and inject payloads that are provided by a command-and-control server. Pikabot utilizes a code injector to decrypt and inject the core module.

The core module and its injector use a series of anti-analysis tests and then decrypt and inject the core module payload. If any of these tests fail, Pikabot will terminate execution. In addition, they use the public tool ADVobfuscator for string obfuscation. Similar to the injector, the Pikabot core module performs additional anti-analysis checks.

Pikabot stops execution if the system's language is any of the following: Georgian (Georgia), Kazakh (Kazakhstan), Uzbek (Cyrillic), Tajik (Tajikistan), Russian (Russia), Ukrainian (Ukraine), Belarusian (Belarus), Slovenian (Slovenia).
Pikabot shares similarities with the Qakbot trojan including the distribution methods, campaigns, and malware behaviors.

Key Insights

Key Insights

Pikabot is distributed via phishing campaigns that use email thread hijacking. Attackers intercept legitimate email conversations to add malicious attachments or links, to make the user more likely to engage. These emails have ZIP attachments with embedded JavaScript files that when executed download and install Pikabot.

Anti-Analysis Techniques

Pikabot has various anti-analysis measures to avoid detection. It checks for debuggers, breakpoints and system information like memory and processor count. It uses ADVobfuscator for string obfuscation and methods to detect sandbox environments. If any of these checks fail Pikabot terminates its execution making it hard for security researchers to analyze.

Similarities to Qakbot

Pikabot has similarities with the dismantled Qakbot trojan. Both use email thread hijacking for distribution, have the same URL patterns and almost the same infection chain and loader capabilities. This is because Pikabot is probably filling the gap left by Qakbot takedown and is using the same tactics to compromise systems.

Known Variants

Known Variants

As of now there are no specific named variants of Pikabot. But it’s under development and evolving so new versions may appear over time.

As of now there are no specific named variants of Pikabot. But it’s under development and evolving so new versions may appear over time.

Mitigation Strategies

Mitigation Strategies

  • Implement robust email filtering to detect and block phishing attempts.

  • Educate employees about the dangers of opening unsolicited attachments or clicking unknown links.

  • Utilize advanced endpoint protection solutions to detect and prevent malware execution.

  • Regularly update and patch software to address known vulnerabilities.

Targeted Industries or Sectors

Targeted Industries or Sectors

Pikabot targets a wide range of sectors including finance, healthcare and manufacturing. Its operators want to maximize impact by compromising different industries, often leading to ransomware attacks or data theft.

Pikabot targets a wide range of sectors including finance, healthcare and manufacturing. Its operators want to maximize impact by compromising different industries, often leading to ransomware attacks or data theft.

Associated Threat Actors

Associated Threat Actors

The threat actor TA577 also known as Water Curupira is actively distributing Pikabot. This group is financially motivated and has been associated with Qakbot distribution. Their campaigns often lead to Black Basta ransomware.

The threat actor TA577 also known as Water Curupira is actively distributing Pikabot. This group is financially motivated and has been associated with Qakbot distribution. Their campaigns often lead to Black Basta ransomware.

References

    Related Posts:

    Coin Miner and Mozi Botnet
    Mar 28, 2024

    Coin Miner and Mozi Botnet

    Coin Miner and Mozi Botnet
    Mar 28, 2024

    Coin Miner and Mozi Botnet

    Coin Miner and Mozi Botnet
    Mar 28, 2024

    Coin Miner and Mozi Botnet

    SmokeLoader Malware Targets Ukraine’s Auto & Banking Sectors via Open Directories
    Feb 6, 2025

    SmokeLoader Malware Found in Open Directories Targeting Ukraine’s Auto & Banking Industries

    SmokeLoader Malware Targets Ukraine’s Auto & Banking Sectors via Open Directories
    Feb 6, 2025

    SmokeLoader Malware Found in Open Directories Targeting Ukraine’s Auto & Banking Industries

    SmokeLoader Malware Targets Ukraine’s Auto & Banking Sectors via Open Directories
    Feb 6, 2025

    SmokeLoader Malware Found in Open Directories Targeting Ukraine’s Auto & Banking Industries

    Exposing the Deception: Russian EFF Impersonators Behind Stealc & Pyramid C2
    Mar 4, 2025

    Exposing Russian EFF Impersonators: The Inside Story on Stealc & Pyramid C2

    Exposing the Deception: Russian EFF Impersonators Behind Stealc & Pyramid C2
    Mar 4, 2025

    Exposing Russian EFF Impersonators: The Inside Story on Stealc & Pyramid C2

    Exposing the Deception: Russian EFF Impersonators Behind Stealc & Pyramid C2
    Mar 4, 2025

    Exposing Russian EFF Impersonators: The Inside Story on Stealc & Pyramid C2