Automating Pikabot’s String Deobfuscation

Pikabot used per-string encryption and runtime decryption to hide binary strings (including C2 addresses), combining RC4, Base64 (with a custom ‘_’->’=’ substitution), and AES-CBC. Zscaler ThreatLabz automated deobfuscation by leveraging IDA microcode and releasing an IDA plugin to extract AES keys/IVs, RC4 keys, and encrypted arrays. #Pikabot #Zscaler #ADVobfuscator

Keypoints

Pikabot encrypts individual strings (including C2 addresses) and decrypts them only when needed, rather than all at once.
The string deobfuscation chain is: per-string RC4 -> replace ‘_’ with ‘=’ -> Base64 decode -> AES-CBC decrypt (with a sample-wide AES key/IV).
Some strings are RC4-only; earlier versions used AES-CBC+RC4 combination and the implementation resembles ADVobfuscator.
Zscaler ThreatLabz used IDA’s microcode to simplify stack reconstruction and automated extraction of encrypted arrays, sizes, RC4 keys, and AES key/IV with a plugin.
Extraction heuristics include scanning functions of a specific size range, looking for RC4 patterns and Base64 marker values (0x3D and 0x5F) in microcode opcodes, and validating decrypted outputs for readability and expected length.
RC4 key discovery is achieved by attempting decryption with all strings from a function and validating results to avoid false positives.
The IDA plugin (tested on IDA 8+) annotates decrypted strings in the decompiled output and the source code is available on GitHub.

MITRE Techniques

[T1027] Obfuscated Files or Information – Pikabot “employed the obfuscation method to encrypt binary strings, including the address of the command-and-control (C2) servers.”
[T1140] Deobfuscate/Decode Files or Information – Pikabot decrypts strings at runtime: “Each string is decrypted only when required (in other words, Pikabot does not decrypt all strings at once).”
[T1132] Data Encoding – The payload applies Base64 decoding after a character substitution: “decodes it using Base64 after replacing all instances of the character ‘_’ with ‘=’ and decrypts it using the AES-CBC algorithm.”
[T1027.002] Software Packing/Obfuscation (ADVobfuscator-like) – The string implementation mirrors known obfuscators: “The string obfuscation’s implementation is similar to ADVobfuscator.”

Indicators of Compromise

[SHA256] Pikabot sample hashes used to test the plugin – aebff5134e07a1586b911271a49702c8623b8ac8da2c135d4d3b0145a826f507, 4c53383c1088c069573f918c0f99fe30fa2dc9e28e800d33c4d212a5e4d36839, and 7 more hashes
[Repository] IDA plugin source – https://github.com/threatlabz/pikabot-deobfuscator
[Source URL] Original article/report – https://www.zscaler.com/blogs/security-research/automating-pikabot-s-string-deobfuscation

Pikabot decrypts strings through a specific sequence: it pushes an encrypted string array onto the stack, initializes an RC4 routine with a per-string RC4 key, runs RC4 over the array, substitutes ‘_’ with ‘=’ in the RC4 output, Base64-decodes that result, and finally decrypts it with AES-CBC using a sample-wide AES key and IV. Some strings are only RC4-encrypted and skip the AES step. The AES key and IV are constant per sample, while RC4 keys vary per string.

To automate extraction, the plugin uses IDA’s microcode because it reconstructs stack-based copies (e.g., turning multiple mov/rep sequences into recognizable strcpy/memcpy calls), making it easier to locate pushed encrypted arrays and key material. The AES key/IV extraction scans analyzed functions (filtered by size ~600–1,600 bytes) for RC4-related patterns and the presence of values 0x3D and 0x5F used before Base64 decoding (visible in microcode as m_stx and m_jnz). If a candidate function yields exactly two decrypted strings, the longest is taken as the AES key (first 32 bytes) and the other as the IV (first 16 bytes).

Reconstructing the RC4 encrypted array starts from the RC4 decryption block, locates the m_add microcode opcode to get the starting stack offset, and iterates backward looking for m_mov or m_call (to catch strcpy/memcpy copies) to collect bytes until the expected size is reached. Array length is found by searching nearby microcode opcodes (m_jb, m_jae, m_setb) that contain immediate constants used as size values. Because directly detecting the RC4 key at initialization was error-prone, the plugin extracts all candidate strings in the function and attempts RC4 decryption with each; valid decryptions are verified by expected length and readable characters, and confirmed keys are marked to reduce false positives. The resulting IDA plugin (compatible with IDA 8+) annotates comments in the decompiled output for each decrypted string and the source code is published on GitHub for community use.