Deep dive into the Pikabot cyber threat

MITRE Techniques

• [T1055] Process Injection – The core payload is injected into a specified process like WerFault (‘The payload is then injected into a specified process like WerFault’).
• [T1105] Ingress Tool Transfer – Pikabot deploys an injector/core flow that can fetch and run additional tools, including Cobalt Strike (‘distributing other malicious tools such as Cobalt Strike’).
• [T1071] Command and Control – It operates as a backdoor receiving commands from a C2 server (‘receives commands from a command-and-control (C2) server’).
• [T1027] Obfuscated/Compressed Files and Information – The core payload is encrypted, stored in PNG images, decrypted with a 32-byte key, and processed with AES-CBC (‘payload is cleverly encrypted and stored in PNG images… decrypted using a hardcoded 32-byte key, and the decrypted data is further processed using AES (CBC mode)’).
• [T1497.001] Virtualization/Sandbox Evasion – It performs anti-analysis checks (debuggers, breakpoints, sandbox) to hinder analysis (‘checks for the presence of debuggers, breakpoints, and system information… detect sandbox environments’).