Blog

The Rising Threat of Pikabot

BY eSentire Threat Response Unit (TRU)

January 10, 2024 | 6 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

Since October 2023, our Threat Response Unit (TRU) has observed multiple instances of the Pikabot malware affecting customers within the manufacturing and business services industries.

The initial infection stems from an email containing a link to download a ZIP archive, which in turn, contains an obfuscated JavaScript file responsible for infecting the device when executed by the user.

Upon cleaning up the JS file, we can see it creates directories “Epfijglsorg\\Ijfkmvofguv” under %SYSTEMDRIVE% (2), then attempts to retrieve the malicious .DAT file from URLs (1,2,5) via curl. Upon successful retrieval of the malicious file, it gets renamed to Wiflgodjvo.dll. The malicious DLL file then runs with rundll32.exe and an export name “Enter” (4) in Figure 1.

Figure 1: Cleaned-up JavaScript file

PikaBot is injected into the SearchProtocolHost.exe process via the process hollowing technique (T1055.012). The core payload of PikaBot contains the inline RC4 encryption for the strings. Upon decrypting the strings, we get base64-encoded strings, as shown in Figure 2.

The inline RC4 encryption in Pikabot is used to obfuscate its strings, making it more difficult for security researchers and automated detection systems to analyze and identify the malware's purpose and behavior.

Figure 2: Decrypted string view in x64dbg

The RC4-decrypted base64-encoded strings then go through another decryption layer with AES, as shown in Figure 3. The key and IV are encrypted with RC4.

Figure 3: AES decryption

For further analysis on Pikabot, please refer to research published by OALabs here and here.

PikaBot uses API hashing (Figure 4) for only a few API calls; the rest are encrypted using the abovementioned method. The C2 is also encrypted with the same algorithm but uses a different set of an AES key and IV.

Here is the Python implementation of the hashing algorithm used:

def api_hashing(data, length):
    v2 = 8387
    if data and length:
        for i in range(length):
            v4 = data[i] & 0xFF  
            v5 = v4 + 32
            if not 65 <= v4 <= 90:  
                v5 = v4
            v2 = v5 + 5 * v2
    return v2 & 0xFFFFFFFF  
def calculate_and_print_hash(data_string):
    data_bytes = data_string.encode()
    hash_result = api_hashing(data_bytes, len(data_bytes))
    value = hex(hash_result)
    print(f"Hash result '{data_string}': {value}")
calculate_and_print_hash("LoadLibraryA")
calculate_and_print_hash("HeapFree")
calculate_and_print_hash("GetProcAddress")
Figure 4: Hashing algorithm

Upon successful infection, PikaBot gathers basic host information and sends it over to C2. The commands run on the host includes:

Example of some of the information gathered by PikaBot with placeholders:

{\"29sogk11\": \"%s\", \"8MYMnroOE\": \"%s\", \"D2eHqm\": \"Win %d.%d %d\", \"Svr0U\": %s, \"YvqsXd96s\": \"%s\", \"Gk03HL\": \"%s\", \"KEIsAH\": \"%s\", \"6oX3zxl\": %d, \"J2pBsnnT\": \"%s\", \"vxcY4IafK\": %d, \"CoV203qs\": \"%s\", \"OLZpE2\": \"%s\", \"9NMqowk9\": \"%s\", \"TnyWDGp46\": \"%s\", \"yrjOT\": \"%s\", \"jcjIbRIYD\": %d, \"XPQG7Z5l\": %d}

For example, D2eHqm holds the Windows version, YvqsXd96s holds the username, Gk03HL holds the system name, KEIsAH holds the processor information, J2pBsnnT holds display adapter information, vxcY4IafK holds the RAM size, CoV203qs holds the screen size, OLZpE2 holds the Pikabot ID (in our case it’s “1.1.19-gen”), 6oX3zxl likely holds the value of the TickCount.

The payload examines the language setting of the infected system, and if it detects that the system is set to Russian or Ukrainian, it refrains from executing any further code (Figure 5).

Figure 5: Language check

Pikabot creates the hardcoded mutex value “{C1E8A9B1-57F0-47B0-AB93-C739C6592C5F}” upon successful infection to avoid reinfecting the host.

Additional Insights

In one particular customer environment, we observed an unsuccessful attempt of a Pikabot infection via drive-by download. In this instance, the client searched for AnyDesk installer and stumbled across the malicious page anadesky.firstbasedso[.]com (Figure 6), from which they downloaded a malicious MSI installer that was signed by “The New Print Shop LTD”.

Jérôme Segura, the Senior Director of Threat Intelligence at Malwarebytes, also published an article on December 15, 2023, detailing how Pikabot leverages malicious ads for its distribution.

Figure 6: Malicious fake AnyDesk page serving PikaBot payload

Pivoting with VirusTotal, we found another two domains impersonating Slack and Zoom, as shown in Figures 7-9.

Figure 7: Malicious domains impersonating Slack and Zoom
Figure 8: Malicious page impersonating Zoom
Figure 9: Malicious page impersonating Slack

What did we do?

Using eSentire MDR for Endpoint, our team of 24/7 SOC Cyber Analysts isolated the affected host, contained the threat, and notified the customer of suspicious activities.

What can you learn from this TRU Positive?

Recommendations from our Threat Response Unit (TRU):

Detection Rules and Indicators of Compromise

References

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire