Flashpoint analysts have been observing a steady emergence of PikaBot, as well as a continuous modification of its attack chain, where the threat actors behind the malware are using various formats of the initial installer file to target victims.
Our analysts reviewed and validated six different infection methods of the PikaBot attack chain identified by security researchers:
First discovered in February 2023, PikaBot is a modular malware trojan that consists of a loader and a core module. Sharing many similarities with the Qakbot trojan, PikaBot uses a diverse array of sophisticated infection methodologies and is typically delivered through phishing emails and malicious search advertisements. However, the initial payload is delivered to its victims in various formats.
As earlier versions of PikaBot faced detection, Flashpoint analysts reviewed highly evasive iterations. PikaBot infections have facilitated the dissemination of post-exploitation tools such as Cobalt Strike and ransomware deployments.
In some cases, Flashpoint found that victims are delivered a PDF lure, which prompts the user to download a document:
In some variations, victims are directed to a malicious URL that prompts visitors to download an archive with an installation file. In other cases, lures impersonate Microsoft OneDrive—this specific variation was also repurposed in last year’s resurgence of Qakbot.
However, instead of the intended document, victims typically download an archive from the URL linked in the PDF lure, which includes the PikaBot installation file. In most cases, the installation file is a JavaScript dropper.
Heavily obfuscated, the JavaScript’s purpose is to execute the first stage of the PikaBot loader with the “curl” utility from a malicious URL. The obfuscation of these JavaScript droppers are consistently updated to evade detection.
In recently observed PikaBot campaigns, the installer file was delivered through the Windows installer file format “.msi.” Again, the file retrieves the first stage of the PikaBot loader from a C2 address and executes the payload from the user’s “\AppData\Local\Temp\” folder. Recent Qakbot infections have also leveraged a .msi installer that executes a .dll loader.
PikaBot phishing lures also employ the HTML smuggling technique, in which malicious code is executed when an HTML attachment to a phishing email is downloaded and executed.
Included within the HTML attachment is malicious JavaScript code that executes upon users opening the attachment, downloading the installation file to a victim’s machine.
In other related email campaigns, the malware also includes lures within the body of the email, enticing victims to visit a URL and download an archive directly. In some cases, the installer file is delivered in the form of an “.LNK” file with an icon that masquerades as a legitimate PDF file.
Within the LNK file are execution instructions for the first stage of the PikaBot loader. For this specific instance, the malware takes specific measures to bypass application whitelisting.
PikaBot has also been observed by Flashpoint to have been delivered through HTML application “.HTA” files and can behave similarly to a normal executable when double-clicked.
In this case, the file reaches out to a malicious URL and provides another abstraction layer before the installation file reaches the asset.
The malware has also been seen to leverage Windows Script Files, a file type that can include JScript or Visual Basic code as the installer. This method, with a similar PDF lure was also seen in Qakbot campaigns last April.
Installation files also leverage “.XLL,” an extension for Microsoft Excel add-ins. These files leverage an open source framework to load a “.NET” assembly with the resources directly to memory. In this case, the XLL file is executed, drops a visual basic script file in the user’s Public folder, and then leverages curl.exe to retrieve the first stage of the PikaBot loader.
Each of the installation files simply retrieves and executes the first stage of the PikaBot loader, which is always delivered in the form of a Dynamic Link Library (DLL). In the initial version of the malware, the DLL established persistence through a registry run key and a scheduled task. The scheduled task executed shellcode to download and execute the second stage and core module of the malware, which is injected into legitimate Windows binaries.
In its updated versions, PikaBot includes improved anti-analysis techniques. The loader payload is delivered to the victim packed and is unpacked upon execution. However, the malware now leverages a technique in which instructions are executed in memory by the native Windows API, in an attempt to evade endpoint detection and response systems. This differs from the previous version, which injects the code module into different legitimate Windows binaries. The core module is built to mimic a legitimate version of the binary, including legitimate strings.
Once the code module is loaded onto a host, the malware collects operating system and domain information and exfiltrates the data. The malware includes capabilities to execute arbitrary commands, download additional payloads, and inject shellcode into a target process.
PikaBot malware is steadily emerging to become a larger part of the threat landscape—given its constant updates and persistence after the resurgence of Qakbot.
Flashpoint recommends the following to avoid infection:
The threat landscape is constantly evolving. Leveraging Flashpoint data and intelligence, organizations are empowered to strengthen their defenses and protect digital assets. Get a demo and see how best-in-class data enables better risk decisions.