Pikabot
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
Pikabot will retrieve the name of the user associated with the thread under which the malware is executing.(Citation: Elastic Pikabot 2024) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Pikabot maintains persistence following system checks through the Run key in the registry.(Citation: Zscaler Pikabot 2023) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Pikabot can execute Windows shell commands via |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Pikabot uses base64 encoding in conjunction with symmetric encryption mechanisms to obfuscate command and control communications.(Citation: Zscaler Pikabot 2023)(Citation: Elastic Pikabot 2024) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Earlier Pikabot variants use a custom encryption procedure leveraging multiple mechanisms including AES with multiple rounds of Base64 encoding for its command and control communication.(Citation: Zscaler Pikabot 2023) Later Pikabot variants eliminate the use of AES and instead use RC4 encryption for transmitted information.(Citation: Elastic Pikabot 2024) |
| Enterprise | T1480 | .001 | Execution Guardrails: Environmental Keying |
Pikabot stops execution if the infected system language matches one of several languages, with various versions referencing: Georgian, Kazakh, Uzbek, Tajik, Russian, Ukrainian, Belarussian, and Slovenian.(Citation: Zscaler Pikabot 2023)(Citation: Elastic Pikabot 2024) |
| Enterprise | T1027 | .003 | Obfuscated Files or Information: Steganography |
Pikabot loads a set of PNG images stored in the malware's resources section (RCDATA), each with an encrypted section containing portions of the core Pikabot core module. These sections are loaded and decrypted using a bitwise XOR operation with a hardcoded 32 bit key.(Citation: Zscaler Pikabot 2023) |
| .009 | Obfuscated Files or Information: Embedded Payloads |
Pikabot further decrypts information embedded via steganography using AES-CBC with the same 32 bit key as initial XOR operations combined with the first 16 bytes of the encrypted data as an initialization vector.(Citation: Zscaler Pikabot 2023) Other Pikabot variants include encrypted, chunked sections of the stage 2 payload in the initial loader |
||
| .011 | Obfuscated Files or Information: Fileless Storage |
Some versions of Pikabot build the final PE payload in memory to avoid writing contents to disk on the executing machine.(Citation: Elastic Pikabot 2024) |
||
| Enterprise | T1055 | .002 | Process Injection: Portable Executable Injection |
Pikabot, following payload decryption, creates a process hard-coded into the dropped (e.g., WerFault.exe) and injects the decrypted core modules into it.(Citation: Zscaler Pikabot 2023) |
| .003 | Process Injection: Thread Execution Hijacking |
Pikabot can create a suspended instance of a legitimate process (e.g., ctfmon.exe), allocate memory within the suspended process corresponding to Pikabot's core module, then redirect execution flow via `SetContextThread` API so that when the thread resumes the Pikabot core module is executed.(Citation: Elastic Pikabot 2024) |
||
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Pikabot performs a variety of system checks to determine if it is running in an analysis environment or sandbox, such as checking the number of processors (must be greater than two), and the amount of RAM (must be greater than 2GB).(Citation: Elastic Pikabot 2024) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G1037 | TA577 |
(Citation: Latrodectus APR 2024) |
|
(Citation: Elastic Pikabot 2024) (Citation: Zscaler Pikabot 2024) |
||
|
(Citation: TrendMicro Pikabot 2024) |
||
References
- Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024.
- Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
- Swachchhanda Shrawan Poudel. (2024, February). Pikabot: A Sophisticated and Modular Backdoor Trojan with Advanced Evasion Techniques. Retrieved July 12, 2024.
- Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
- Nikolaos Pantazopoulos. (2024, February 12). The (D)Evolution of Pikabot. Retrieved July 17, 2024.
- Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.