Skip to content

Pikabot

PikaBot is an insidious backdoor, first seen in early 2023.

It has two components: Loader and core module.

The infection starts with a malicious email containing a link that downloads a JS file which is used to download PikaBot DLL.

Control Flow
The initial JS file contains Powershell command to communicate with a URL and download the PikaBot DLL.

Post download the DLL is executed through Ruldll32.exe. At the end of DLLEntrypoint There is a call to the main function of the malware which contains all the core functionality.

PikaBot persists on infected systems by adding its file path in the RUN registry key.

One of the first things the malware does is to resolve the required APIs. Pikabot resolves two functions that will be used to get the addresses of the required APIs GetProcAddress and LoadLibraryA by searching through Kernel32.dll exports using a Hash of each API respectively.

The malware uses a series of anti-debugging checks before continuing. After performing Anti-Analysis checks, the Loader extracts the core module from the resource section of the DLL. The core module is scattered through multiple PNG files in the Resource Section. It checks for 4 Bytes string in the resource, which appears to be the beginning of the encrypted blob of the core component.

The core module is stored in two PNG images in the resource section. After The XOR operation is done, The XORed data is then decrypted using AES Algorithm using a 32-byte key. After decrypting the Core module, it is injected into random process for different samples.

The core module uses the same string encryption method. The DLL contains a small number of functions and exports. DllRegisterServer contains a call to sub_XXXXX function that has all the functionality of the Core module. The same API dynamic resolving function is used but more DLLs are added to use network and other functionalities required i.e Wininet.dllAdvapi32.dll.

 

MITRE ATT&CK Matrix

Initial Access

Spearphishing Link

Execution –

Malicious Link

Persistence

Registry Run Key / Start up Folder

Privilege Escalation

Process Injection

Defense Evasion

Deobfuscate/Decode File or Information

Credential Access

N/A

Discovery

System Information Discovery

Lateral Movement

N/A

Collection

Data From Local System

Command and Control

Web Protocol

Application Layer Protocol

Exfiltration

Exfiltration over C2 channel

Impact

Data Transmitted over C2

IOCs

2411b23bab7703e94897573f3758e1849fdc6f407ea1d1e5da20a4e07ecf3c09

59f42ecde152f78731e54ea27e761bba748c9309a6ad1c2fd17f0e8b90f8aed1

References

https://d01a.github.io/pikabot/

https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot

2 thoughts on “Pikabot”

Leave a Reply

Your email address will not be published. Required fields are marked *