PikaBot is a sophisticated multi-stage loader used by Initial Access Brokers since February 2023 to gain a foothold in networks and deploy payloads such as Cobalt Strike and Meterpreter. The report details anti-analysis techniques, evolving C2 infrastructure, and large-scale distribution campaigns driven by TA577, including phishing and malvertising. #PikaBot #TA577
Keypoints
- PikaBot acts as a loader used by Initial Access Brokers to establish initial access and disseminate follow-on payloads.
- TA577 led large-scale distribution campaigns via phishing (thread-hijacked emails with attachments) and malvertising, employing numerous infection chains.
- The malware architecture is multi-stage, with Stage 1 unpacking in memory, Stage 2 obfuscation/anti-analysis, and Stage 3 loading the final core in memory or via host processes.
- PikaBot wykorzystuje advanced anti-analysis techniques, including environment checks, anti-debugging, string and code obfuscation, junk code, and RC4/base64-based chunk decryption.
- Its C2 infrastructure features HTTP POST communications, RC4 encryption of payloads, non-standard ports, and TLS certificate patterns (including Slack impersonation) and a distinctive JARM fingerprint.
- Since 2023, Sekoia.io tracks over 360 unique PikaBot C2 IPs, with infrastructure evolving alongside large campaigns and links to Black Basta deployments observed in some reports.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment β βIn February 2023, PikaBot was first observed being distributed through a thread-hijacking phishing campaign by the IAB group TA577. The infection chain involved a OneNote file attached to a thread-hijacked email, which ran a CMD script to download and execute a PikaBot DLL.β
- [T1071.001] Application Layer Protocol: Web Protocols β The malware communicates with its command-and-control (C2) server over HTTP using raw data in the body of POST requests.
- [T1573.001] Encrypted Channel: Symmetric Cryptography β The data is RC4 encrypted, and the key used for communication is sent to the C2 server in a request with the following format: β¦
- [T1571] Non-Standard Port β βexposed to IP addresses, primarily on non-standard ports (e.g. 1194, 2078, 2083 or 2222).β
- [T1497.001] Virtualization/Sandbox Evasion: System Checks β PikaBot attempts to detect an attached debugger by reading the debug registersβ¦
- [T1140] Deobfuscate/Decode Files or Information β The initial stage is a PE unpacker and the subsequent stages are deobfuscated using XOR operations.
- [T1027.007] Obfuscated Files or Information: Dynamic API Resolution β βthe malware uses dynamic API importsβ
- [T1622] Debugger Evasion β Anti-debugging techniques are described throughout the stages.
- [T1497.003] Virtualization/Sandbox Evasion: Time Based Evasion β Time Based Evasion is noted as part of anti-analysis.
- [T1057] Process Discovery β The malware captures a snapshot of the running processesβ¦
- [T1614.001] System Location Discovery: System Language Discovery β The malware checks the system language and filters certain locales (Ukraine and Russia).
- [T1083] File and Directory Discovery β Notable for file/PE handling and staged loading, including in-memory reconstruction of PE sections.
- [T1055.002] Process Injection: Portable Executable Injection β The second stage loads and injects into a host process to run the final stage.
- [T1055.003] Process Injection: Thread Execution Hijacking β Used to execute the final stage via a hijacked thread.
Indicators of Compromise
- [IP Address] PikaBot C2 servers β 172.234.250.178:2222, 20.67.206.46:443
- [File Hash] PikaBot sample SHA-1 β 959da0fb174a8e4db238d08a3f5076a2f43c0f25
- [File Name] Delivery artifacts β PERFERENDISF.zip, hBHGHjbH.class
Read more: https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/