Fast Facts
-
Pikabot is a multi-staged backdoor trojan that emerged in early 2023.
-
The most notable feature of Pikabot is its loader capability, which is capable of delivering payloads and has several defense evasive techniques.
-
Pikabot is programmed to execute commands via a Command and Control server, such as injecting arbitrary shellcodes, DLLs, or executable files.
-
The malware author has included several anti-analysis techniques to prevent automated analysis in sandbox and research environments.
-
Pikabot and the Qakbot trojan are comparable regarding campaigns, malicious characteristics, and distribution strategies.
-
Pikabot/Darkgate have been distributed through mal-spamming, email hijacking, and malvertising.
Background
The backdoor trojan known as Pikabot first surfaced in early 2023. Using a Command and Control (C2) server allows the attacker to take control remotely and carry out arbitrary commands. Pikabot can also insert arbitrary shell code and push malicious payloads on target computers, including executables, DLL files, malware, and cobalt-strike beacon payloads. By utilizing Anti-VM and Anti-Debugging techniques in the source code, the Pikabot authors have concealed their harmful indications and behavior during analysis, enabling them to remain undetectable.
The anti-debugging techniques include checking for debuggers, breakpoints, and system information, utilizing tools like ADVobfuscator for string obfuscation, and employing methods to detect sandbox environments and analysis attempts. The anti-VM techniques include conducting checks to see virtual machine environments, making it harder for automated analysis. Security Researchers can't discover any suspicious behaviors the malware might take in their labs during dynamic analysis because of anti-analysis measures.
Pikabot is a modular backdoor malware delivered through spam campaigns, email hijacking, and malvertising. It targets victims via its two components - a loader and a core module. The loader is responsible for loading the malware's main component into the system. Pikabot can be loaded into the system via its own loader or commercial loaders to load its main component. Once the core payload has been decrypted, the Pikabot injector creates a suspended process and injects the core. The injector uses indirect system calls to hide its injection. The rest of the used APIs are resolved using GetProcAddress with decrypted strings. Other pertinent strings are also decrypted during runtime before they are used. The loader and core module of Pikabot execute most of the malware's functions, while the former facilitates these malicious activities. The malware's objectives pose extreme dangers, including crypto-mining on compromised systems, installing spyware and ransomware, stealing credentials and confidential data, and enabling remote hands-on control of compromised systems.
MITRE ATT&CK TTPs
Please check the report for more information regarding its technical capabilities, behavioral patterns, detection, and remediation with Logpoint’s Converged SIEM platform.