Keypoints
- Pikabot is a modular loader active in 2023, used for initial access and often followed by Cobalt Strike and Black Basta deployments.
- Distribution vectors include malspam, email thread hijacking, and malvertising; initial downloads used PowerShell historically and shifted to cURL from October 2023.
- The loader employs anti-analysis checks (including system language checks that abort on CIS languages) and masquerades executables to evade detection.
- Observed lifecycle: rare external EXE download → immediate C2 connections to uncommon ports → DNS tunneling/Beaconing resembling Cobalt Strike → secondary payloads/C2 for Cobalt Strike/Black Basta.
- Key network indicators included unusual user agents (cURL/PowerShell), connections to rare IPs on uncommon ports (e.g., 5000, 5938, 1194, 2078), and newly registered domains used for DNS beacons.
- Darktrace DETECT models and Microsoft Defender integration provided network and host-level context; RESPOND actions (if autonomous) could have blocked C2 and file downloads automatically.
MITRE Techniques
- [T1036.008] Masquerading – Used to disguise the downloaded executable as a different file type: [‘the executable file was attempting to masquerade as a different file type, likely to evade the detection of security teams and their security tools.’]
- [T1071.001] Application Layer Protocol: Web Protocols – Initial payload retrieval via web protocols using PowerShell or cURL: [‘suspicious executable download from a URI … and using a Windows PowerShell user agent’ / ‘All the Pikabot cases … have used cURL’]
- [T1571] Non-Standard Port – C2 communications observed over uncommon ports (e.g., 1194, 2078, 5000, 5938): [‘C2 connections to IP addresses on uncommon ports including 1194 and 2078’]
- [T1071.004] Application Layer Protocol: DNS – C2 and beaconing via DNS, including TXT DNS requests for tunneling and Beacon-like patterns: [‘performing suspicious DNS tunneling using a pattern that resembled the Cobalt Strike Beacon.’]
- [T1572] Protocol Tunneling – Use of DNS TXT records for tunneling/Beaconing to exfiltrate or communicate with C2: [‘device performing suspicious DNS tunneling … accompanied by beaconing activity to a rare domain’]
Indicators of Compromise
- [IP Address] Pikabot download/C2 – 128.140.102[.]132 (download), 185.106.94[.]174:5000 (C2), and 18 more related IPs listed in the report
- [IP Address:Port] C2 endpoints observed – 185.106.94[.]174:5000, 80.85.140[.]152:5938 (both noted as Pikabot C2)
- [Domain] DNS beacon/Cobalt Strike – wordstt182[.]com (newly registered domain linked to Beacon-like DNS tunneling), building4business[.]net (linked to Black Basta activity)
- [User Agent / File] Initial download context – cURL user agent for .exe retrieval (shift from PowerShell), and masqueraded .exe filenames attempting to evade detection
Pikabot infections typically begin with a user-triggered download (malspam, email thread hijack, or malvertising). The payload performs anti-analysis checks (including aborting on CIS-language systems), enumerates host details, and contacts C2 infrastructure. Early campaigns used PowerShell-based web retrieval and a PowerShell user agent; from October 2023 observed cases shifted to cURL-based downloads with a cURL user agent, suggesting cross-platform targeting. Downloaded executables were often masqueraded as benign file types to bypass detection.
Following download, infected hosts rapidly initiated outbound connections to rare IPs on uncommon ports (examples observed: 1194, 2078, 5000, 5938), contacting multiple C2 endpoints within minutes. DNS-based communication and tunneling were observed ~40 minutes post-download, using TXT records and domain names (e.g., wordstt182[.]com, building4business[.]net) consistent with Cobalt Strike Beacon behavior and protocol tunneling for command-and-control. Secondary payloads and Cobalt Strike activity were noted in several cases.
Network detection models that flag anomalous new user agents, rare external EXE downloads, masqueraded file transfers, uncommon ports, and DNS tunneling are effective at identifying Pikabot stages. Correlating network telemetry with endpoint signals (e.g., Microsoft Defender alerts linking to TA577/Storm-0464) allowed rapid isolation of compromised devices. Automated response capability to block observed C2 addresses, uncommon ports, and suspicious downloads would prevent progression from loader to secondary payloads such as Cobalt Strike or Black Basta deployments.
Read more: https://darktrace.com/blog/pikabot-malware-battling-a-fast-moving-loader-malware-in-the-wild