Pikabot Malware Resurfaces: Analysis Reveals Code Shifts and Evolving Tactics

Pikabot

Pikabot, a malware loader first observed in early 2023, has reemerged after a brief lull in activity, showcasing substantial transformations in its codebase and techniques. Security researchers at ThreatLabz continue their tracking of Pikabot’s development, unraveling a pattern of tactical adjustments and potentially new goals for the malware.

The latter half of 2023 witnessed a surge in its usage, a surge attributed to the aftermath of the FBI-led takedown of Qakbot, another infamous malware. With Qakbot out of the picture, Pikabot seized the opportunity to fill the void, emerging as the preferred tool for initial access among cyber criminals. However, Pikabot disappeared from the scene shortly after Christmas 2023, its version 1.1.19 marking its temporary hiatus.

Pikabot

Fast forward to February 2024, and Pikabot reemerged from the shadows, sporting significant changes in its code base and structure. Though it appeared to be in a new phase of development and testing, the core objective remained unchanged. As ThreatLabz continued its vigilant tracking, the latest variant of Pikabot, version 1.18.32, underwent thorough analysis to unveil its capabilities and alterations.

At its core, Pikabot is a two-component malware comprising a loader and a core module. The loader’s primary function is to decrypt and inject the core module, which then executes commands and injects payloads from a command-and-control server. To evade detection and analysis, Pikabot employs an arsenal of anti-analysis techniques, including string obfuscation, insertion of junk instructions, and anti-debug methods.

In its latest iteration, Pikabot has simplified its string obfuscation technique, opting for stack construction rather than complex encryption algorithms. Additionally, it continues to thwart analysis attempts through the insertion of junk code and the use of anti-debug measures such as reading the BeingDebugged flag from the Process Environment Block.

A notable feature of Pikabot is its language detection mechanism, which halts execution if the system’s language indicates Russian or Ukrainian origins. This strategic evasion tactic suggests a connection to Russian-speaking threat actors, potentially based in Ukraine or Russia, aiming to minimize the risk of law enforcement intervention in these regions.

Furthermore, Pikabot employs various anti-sandbox evasion methods, including the use of native Windows API calls, randomized code execution delays, and dynamic resolution of Windows API functions via API hashing. These tactics collectively enhance its stealth and resilience against security measures.

In its interaction with command-and-control servers, Pikabot has undergone significant protocol changes, opting for raw data transmission over JSON format. Despite recent inactivity, Pikabot remains a potent threat, continuously evolving while reducing the complexity of its code. However, certain features and network commands remain works in progress, hinting at future iterations and potential cyber threats.