Pikabot returns with new tricks up its sleeve
After a short hiatus, Pikabot is back, with significant updates to its capabilities and components and a new delivery campaign.
About the Pikabot loader
Pikabot is a loader – a type of malware whose primary function is to serve as a delivery mechanism for other malware. It first appeared in early 2023 and has been widely used by threat actors to deliver payloads such as Cobalt Strike or various ransomware.
After the disruption of the Quakbot botnet, Pikabot emerged as an alternative and became particularly active in the second half of 2023.
It was initially distributed via malspam and malvertising campaigns pushing apparently legitimate software such as AnyDesk, Slack and Zoom.
Its activity stopped in December 2023, possibly due to the recurrence of a new version of Qakbot. Now it has returned with significant modifications in its code base and components.
New functionalities
Researchers at Elastic Security Labs observed a new Pikabot campaign, starting on February 8, 2024, which leveraged phishing emails for initial access.
The emails included hyperlinks leading to ZIP archive files containing obfuscated Javascript. After being executed, it uses PowerShell to download and execute the Pikabot loader.
Pikabot execution flow. (Source: Elastic Security Labs)
Elastic Security Labs and Zscaler researchers have analyzed the Pikabot loader and pointed out several differences from previous versions of the malware:
- Simpler encryption algorithms with fewer in-line RC4 functions
- Anti-debugging methods to evade detection
- Bot configuration is in plaintext at runtime, JSON format has been removed
- AES is no longer used in network communications
“There are interesting design choices in this new update that we think are the start of a new codebase that will make further improvements over time. While the functionality is similar to previous builds, these new updates have likely broken signatures and previous tooling,” Elastic Security Labs researchers noted.