Keypoints
- Pikabot is modular: a loader/injector handles anti-analysis and decrypts a core module stored as encrypted PNG resources.
- The injector decrypts resource PNG chunks by XOR with a 32-byte key then AES-CBC (IV = first 16 bytes of the chunk) and injects the core into a created process (e.g., WerFault).
- Extensive anti-analysis/sandbox evasion: exception-based tricks, PEB BeingDebugged/NtGlobalFlag checks, CheckRemoteDebuggerPresent/IsDebuggerPresent, NtQueryInformationProcess, GetWriteWatch, OutputDebugString, rdtsc, trap flag/hardware breakpoint checks, processor/RAM thresholds, Beep delays, and loading junk libraries.
- Persistence via Run registry key and corruption of the original executable; alternative persistence by downloading a PowerShell script stored in HKCUSoftware and invoked through a Run key command.
- C2 configuration and network traffic are obfuscated: ADVobfuscator for strings, Base64 + AES-CBC for C2 IP/port decoding, and a custom layered Base64/AES scheme for encrypting requests; observed C2 ports include 1194, 2078, and 2222.
- Pikabot supports tasking (cmd, shellcode, dll, exe, additional info collection, knock) and collects detailed host/network information during HTTPS POST registration.
MITRE Techniques
- [T1055] Process Injection – Injector and core inject shellcode, DLLs, or executables into created processes (‘injects the core module into it’).
- [T1027] Obfuscated Files or Information – Strings and components are obfuscated using ADVobfuscator and multiple encryption layers (‘use the public tool ADVobfuscator for string obfuscation’).
- [T1497] Virtualization/Sandbox Evasion – Multiple sandbox/analysis checks and junk library loading to detect sandboxes (‘Attempt to load junk and incorrect libraries in order to detect sandboxes’).
- [T1547.001] Registry Run Keys/Startup Folder – Adds persistence by creating a Run key entry with its file path (‘add persistence on the compromised host by creating a new value with its file path in the Run registry key’).
- [T1059.001] Command Shell – Executes shell commands via cmd.exe for task execution (‘Executes a shell command via cmd.exe’).
- [T1059.003] Windows PowerShell – Downloads/stores a PowerShell script in the registry and invokes it via an encoded PowerShell command in the Run key (‘downloads a PowerShell script from the command-and-control server and stores it in HKEY_CURRENT_USERSoftwarepredefined_name’).
- [T1071.001] Application Layer Protocol: Web Protocols – C2 registration and tasking use HTTPS POST requests (‘registering the compromised host with the command-and-control servers… with an HTTPS POST request’).
- [T1105] Ingress Tool Transfer – Downloads payloads such as PowerShell scripts, DLLs, and executables from C2 (‘Pikabot downloads a PowerShell script’ / ‘Injects a downloaded DLL file’).
- [T1132] Data Encoding – Uses Base64 encoding extensively in C2 config and network encryption routines (‘The request data is encoded using Base64’).
Indicators of Compromise
- [SHA256 Hash] Host binaries – 92153e88db63016334625514802d0d1019363989d7b3f6863947ce0e490c1006, a48c39cc45efea110a7c8edadcb6719f5d1ebbeebb570b345f47172d393c0821, and 3 more hashes
- [Network IP/URL] Command-and-control servers – hxxps://129.153[.]135.83:2078, hxxps://132.148.79[.]222:2222, and 3 more C2 entries
- [Registry / File path] Persistence and process targets – Run registry key entries and HKEY_CURRENT_USERSoftware for stored PowerShell plus injected process example WerFault
Pikabot’s injector performs a long sequence of anti-analysis checks (exceptions via int 2d/int 3, PEB BeingDebugged/NtGlobalFlag checks, CheckRemoteDebuggerPresent/IsDebuggerPresent, NtQueryInformationProcess for ProcessDebugPort/Flags, GetWriteWatch, OutputDebugString, rdtsc/trap-flag and hardware breakpoint detection, Beep-based delays, CPU and RAM threshold checks, and junk-library loading) and aborts if tests fail. The injector reconstructs the core from multiple PNG resources: each resource is first XORed with a hardcoded 32-byte key, then decrypted with AES-CBC using the first 16 bytes of the encrypted chunk as the IV; after decryption it creates a target process (e.g., WerFault), injects the core payload, and sets PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON on the process.
The core continues anti-analysis (including a NtContinue-based sleep technique) and will exit for systems with certain language settings (e.g., Russian, Ukrainian, Georgian, Kazakh, Uzbek Cyrillic, Tajik, Belarusian, Slovenian). For persistence it checks if it runs under a hardcoded AppData path; if not, it writes a Run key with its path and corrupts the original executable by replacing its contents with a truncated PE header plus nulls. Alternatively, it downloads a PowerShell script from C2, stores it under HKCUSoftware along with encrypted C2 data, and adds a Run entry that executes an encoded PowerShell command (example pattern included in samples).
C2 configuration and network traffic use layered obfuscation: components are ADVobfuscator‑obfuscated and C2 entries are decoded by splitting a Base64 list with ‘&’, taking the first 32 bytes as an AES key, Base64-decoding the rest, using the first 16 bytes of that decode as the IV, and AES-CBC decrypting the remainder to get a Base64 result that reveals IP:port (many use ports like 1194, 2078, 2222). Registration occurs via HTTPS POST with detailed host info; tasks requested from C2 include cmd, destroy, shellcode, dll, exe, additional info collection (whoami, ipconfig, processes), and periodic knock keep-alives. Network request encryption: Base64 encode → prepend random 32-byte key (after another Base64 step) → AES-CBC with IV taken from a function prologue → final Base64, with the key and a hardcoded URI key prepended.
Read more: https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot