Trend Micro’s Insight: Dissecting the Pikabot Malware Threat
In the ever-evolving landscape of cyber threats, a new name has emerged with a notorious reputation – Pikabot. This loader malware, actively employed in spam campaigns by the threat actor known as Water Curupira, represents a significant shift in the tactics of cybercriminals. Recently, security researchers from Trend Micro provided a technical analysis of this malware. The first quarter of 2023 witnessed the height of its activity, followed by a brief hiatus and a resurgence in September 2023. Interestingly, its rise coincided with the takedown of Qakbot, a similar malware, by law enforcement in August 2023, suggesting that Pikabot might be its replacement.
Sample email with a malicious ZIP attachment | Image: Trend Micro
Pikabot operates through two main components – a loader and a core module. These elements enable unauthorized remote access and the execution of arbitrary commands through a connection with a command-and-control (C&C) server. What makes Pikabot particularly sophisticated is its multi-stage nature, combining a loader and core module within a single file and utilizing decrypted shellcode to release another DLL file – the actual payload.
The operators behind Pikabot, Water Curupira, have conducted various campaigns for dropping backdoors like Cobalt Strike, which often lead to ransomware attacks, notably the Black Basta ransomware. Initially engaging in DarkGate and IcedID spam campaigns, the group has since pivoted exclusively to using Pikabot. This shift highlights the threat actor’s adaptive nature and willingness to employ the most effective tools available.
Pikabot primarily infiltrates systems through spam emails containing archives or PDF attachments. These emails mimic legitimate threads using thread-hijacking techniques, increasing the chances of tricking recipients into opening malicious links or attachments. The attachments, either password-protected archives containing an IMG file or a PDF, are engineered to deploy the Pikabot payload upon execution.
Once inside a system, Pikabot exhibits a complex infection process. It involves heavily obfuscated Java scripts, conditional execution commands, and multiple attempts to download the payload from external servers. The core module of Pikabot collects detailed system information, encrypts it, and forwards it to a C&C server. This stolen data is then potentially used for further malicious activities.
The resurgence of Pikabot, especially in the wake of Qakbot’s takedown, indicates a worrying trend in the cyber threat landscape. Its sophisticated design, effective phishing techniques, and potential link to ransomware attacks make it a formidable threat. Security experts and organizations must remain vigilant and proactive in their defense strategies to counteract these evolving cyber threats.
