PikaBot reemerges with streamlined code and deceptive tactics


The threat actors behind the PikaBot malware have made significant changes to the malware in what has been described as a case of ‘decentralization’.

“Although it appears to be in a new development cycle and testing phase, the developers have reduced the complexity of the code by removing advanced obfuscation techniques and changing network communications,” said Zscaler ThreatLabz researcher Nikolaos Pantazopoulos. said.

First documented by the cybersecurity firm in May 2023, PikaBot is a malware loader and backdoor that can execute commands and inject payloads from a command-and-control (C2) server and allow the attacker to control the infected host .

It is also known to stop its execution if the language of the system is Russian or Ukrainian, indicating that the operators are based in Russia or Ukraine.

In recent months, both PikaBot and another loader called DarkGate have emerged as attractive replacements for threat actors like Water Curupira (aka TA577) to gain initial access to target networks via phishing campaigns and drop Cobalt Strike.

Zscaler’s analysis of a new version of PikaBot (version 1.18.32), spotted this month, has revealed its continued focus on obfuscation, albeit with simpler encryption algorithms, and inserting unwanted code between valid instructions as part of its efforts to resist analysis.

Another crucial change seen in the latest iteration is that the entire bot configuration – which is similar to QakBot – is stored in plaintext in a single memory block, instead of encrypting each element and decrypting them at runtime.

A third change concerns C2 server network communications, where malware developers modify the command IDs and encryption algorithm used to secure the traffic.

“Despite its recent inactivity, PikaBot remains a significant cyber threat and is constantly evolving,” the researchers concluded.

“However, the developers have decided to take a different approach and reduce the complexity level of the PikaBot code by removing advanced obfuscation features.”

The development comes as Proofpoint warned of an ongoing cloud account takeover (ATO) campaign that has targeted dozens of Microsoft Azure environments and compromised hundreds of user accounts, including those of senior executives.

The activity, which has been ongoing since November 2023, targets users with individualized phishing bait using decoy files that contain links to malicious phishing web pages for credential collection, and uses them for follow-up data exfiltration, internal and external phishing, and financial fraud .

#PikaBot #reemerges #streamlined #code #deceptive #tactics

Notify of
Inline Feedbacks
View all comments
Previous Post
Windows Zero-Days

Microsoft is rolling out patches for 73 bugs, including 2 Windows Zero-Days

Next Post
Glupteba Botnet

Glupteba Botnet Evades Detection with Undocumented UEFI Bootkit

Related Posts