eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
Since October 2023, our Threat Response Unit (TRU) has observed multiple instances of the Pikabot malware affecting customers within the manufacturing and business services industries.
The initial infection stems from an email containing a link to download a ZIP archive, which in turn, contains an obfuscated JavaScript file responsible for infecting the device when executed by the user.
Upon cleaning up the JS file, we can see it creates directories “Epfijglsorg\\Ijfkmvofguv” under %SYSTEMDRIVE% (2), then attempts to retrieve the malicious .DAT file from URLs (1,2,5) via curl. Upon successful retrieval of the malicious file, it gets renamed to Wiflgodjvo.dll. The malicious DLL file then runs with rundll32.exe and an export name “Enter” (4) in Figure 1.
Figure 1: Cleaned-up JavaScript file
PikaBot is injected into the SearchProtocolHost.exe process via the process hollowing technique (T1055.012). The core payload of PikaBot contains the inline RC4 encryption for the strings. Upon decrypting the strings, we get base64-encoded strings, as shown in Figure 2.
The inline RC4 encryption in Pikabot is used to obfuscate its strings, making it more difficult for security researchers and automated detection systems to analyze and identify the malware's purpose and behavior.
Figure 2: Decrypted string view in x64dbg
The RC4-decrypted base64-encoded strings then go through another decryption layer with AES, as shown in Figure 3. The key and IV are encrypted with RC4.
Figure 3: AES decryption
For further analysis on Pikabot, please refer to research published by OALabs here
and here.
PikaBot uses API hashing (Figure 4) for only a few API calls; the rest are encrypted using the abovementioned method. The C2 is also encrypted with the same algorithm but uses a different set of an AES key and IV.
Here is the Python implementation of the hashing algorithm used:
def api_hashing(data, length):
v2 = 8387
if data and length:
for i in range(length):
v4 = data[i] & 0xFF
v5 = v4 + 32
if not 65 <= v4 <= 90:
v5 = v4
v2 = v5 + 5 * v2
return v2 & 0xFFFFFFFF
def calculate_and_print_hash(data_string):
data_bytes = data_string.encode()
hash_result = api_hashing(data_bytes, len(data_bytes))
value = hex(hash_result)
print(f"Hash result '{data_string}': {value}")
calculate_and_print_hash("LoadLibraryA")
calculate_and_print_hash("HeapFree")
calculate_and_print_hash("GetProcAddress")
Figure 4: Hashing algorithm
Upon successful infection, PikaBot gathers basic host information and sends it over to C2. The commands run on the host includes:
netstat.exe -aon
ipconfig.exe /all
whoami.exe /all
Example of some of the information gathered by PikaBot with placeholders:
For example, D2eHqm holds the Windows version, YvqsXd96s holds the username, Gk03HL holds the system name, KEIsAH
holds the processor information, J2pBsnnT holds display adapter information, vxcY4IafK holds the RAM size, CoV203qs holds the screen size, OLZpE2 holds the Pikabot ID (in our case it’s “1.1.19-gen”), 6oX3zxl likely holds the value of the TickCount.
The payload examines the language setting of the infected system, and if it detects that the system is set to Russian or Ukrainian, it refrains from executing any further code (Figure 5).
Figure 5: Language check
Pikabot creates the hardcoded mutex value “{C1E8A9B1-57F0-47B0-AB93-C739C6592C5F}” upon successful infection to avoid reinfecting the host.
Additional Insights
In one particular customer environment, we observed an unsuccessful attempt of a Pikabot infection via drive-by download. In this instance, the client searched for AnyDesk installer and stumbled across the malicious page anadesky.firstbasedso[.]com (Figure 6), from which they downloaded a malicious MSI installer that was signed by “The New Print Shop LTD”.
Jérôme Segura, the Senior Director of Threat Intelligence at Malwarebytes, also published an article on December 15, 2023, detailing how Pikabot leverages malicious ads for its distribution.
The use of phishing emails containing links to download malicious ZIP archives highlights the continued reliance on social engineering by attackers. It underscores the importance of educating users about the dangers of unsolicited emails and the need for caution when downloading attachments.
The payload's functionality to check the system's language setting and halt further execution if it detects Russian or Ukrainian suggests a targeted approach to infections. This tactic could be indicative of the origin or specific objectives of the attackers.
The creation of a hardcoded mutex by Pikabot to avoid reinfection illustrates a common malware technique to maintain a single instance in the system. Understanding such techniques can aid in developing more effective malware detection and removal strategies.
The observed instances where attackers impersonated legitimate software like AnyDesk, Slack, and Zoom for malware distribution via malicious ads and websites highlight the risk of trust exploitation. This calls for vigilance when downloading software and accessing web resources, even those that appear legitimate.
Recommendations from our Threat Response Unit (TRU):
Identify file types that are commonly associated with security risks, such as executable files (.exe, .bat, .cmd), script files (.js, .vbs, .ps1), and certain document types that support macros (.docm, .xlsm). Then select a file type that is inherently safer and does not support executable code or active content (i.e., a plain text format like .txt).
An effective PSAT program emphasizes building cyber resilience by increasing risk awareness, rather than trying to turn everyone into security experts.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
