PikaBot is an insidious backdoor, first seen in early 2023.
It has two components: Loader and core module.
The infection starts with a malicious email containing a link that downloads a JS file which is used to download PikaBot DLL.
Control Flow –
The initial JS file contains Powershell command to communicate with a URL and download the PikaBot DLL.
Post download the DLL is executed through Ruldll32.exe. At the end of DLLEntrypoint There is a call to the main function of the malware which contains all the core functionality.
PikaBot persists on infected systems by adding its file path in the RUN registry key.
One of the first things the malware does is to resolve the required APIs. Pikabot resolves two functions that will be used to get the addresses of the required APIs GetProcAddress and LoadLibraryA by searching through Kernel32.dll exports using a Hash of each API respectively.
The malware uses a series of anti-debugging checks before continuing. After performing Anti-Analysis checks, the Loader extracts the core module from the resource section of the DLL. The core module is scattered through multiple PNG files in the Resource Section. It checks for 4 Bytes string in the resource, which appears to be the beginning of the encrypted blob of the core component.
The core module is stored in two PNG images in the resource section. After The XOR operation is done, The XORed data is then decrypted using AES Algorithm using a 32-byte key. After decrypting the Core module, it is injected into random process for different samples.
The core module uses the same string encryption method. The DLL contains a small number of functions and exports. DllRegisterServer contains a call to sub_XXXXX function that has all the functionality of the Core module. The same API dynamic resolving function is used but more DLLs are added to use network and other functionalities required i.e Wininet.dll, Advapi32.dll.
MITRE ATT&CK Matrix
Initial Access –
Spearphishing Link
Execution –
Malicious Link
Persistence –
Registry Run Key / Start up Folder
Privilege Escalation –
Process Injection
Defense Evasion –
Deobfuscate/Decode File or Information
Credential Access –
N/A
Discovery –
System Information Discovery
Lateral Movement –
N/A
Collection –
Data From Local System
Command and Control –
Web Protocol
Application Layer Protocol
Exfiltration –
Exfiltration over C2 channel
Impact –
Data Transmitted over C2
IOCs –
2411b23bab7703e94897573f3758e1849fdc6f407ea1d1e5da20a4e07ecf3c09
59f42ecde152f78731e54ea27e761bba748c9309a6ad1c2fd17f0e8b90f8aed1
References –
https://d01a.github.io/pikabot/
https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot
Hi Users,
Please share your thought and feedback