The (D)Evolution of Pikabot

Pikabot is a Windows malware loader that was reworked in early 2024 with reduced obfuscation, a single plaintext in-memory configuration block, and a changed HTTP-based C2 protocol using RC4 and byte-swapping. The loader and core enable process injection, remote command execution, and file/registry persistence, with ties to increased activity after Qakbot’s takedown. #Pikabot #Qakbot #BlackBasta

Keypoints

Pikabot comprises a loader and a core module; the loader decrypts and injects the core, which executes commands and injects payloads.
The 2024 variant simplifies string obfuscation (stack-based string construction and occasional RC4) versus prior RC4+AES-CBC per-string encryption.
All configuration elements are stored plaintext in a single global memory structure and are zeroed after parsing.
Network C2 uses HTTP with a session RC4 key (32 bytes), random byte-swap encoding (0–25 rounds), and raw payloads instead of JSON.
Pikabot implements anti-analysis: junk instructions, PEB BeingDebugged and CheckRemoteDebuggerPresent checks, API hashing, randomized execution delays, and language checks to avoid RU/UA locales.
Network commands support registration, command polling, reporting, remote execution, file/registry writes, and injecting downloaded PE files or shellcode into target processes.
Not all planned features/commands appear implemented in the analyzed v1.8.32-beta samples.

MITRE Techniques

[T1055] Process Injection – Used to deploy and execute payloads: (‘code injector to decrypt and inject the core module’ and ‘Injects the code of a downloaded PE file’).
[T1071.001] Application Layer Protocol: Web Protocols (HTTP) – C2 uses HTTP for command-and-control: (‘Pikabot continues to use HTTP for command-and-control’).
[T1573] Encrypted Channel – Session encryption and encoding are applied to C2 traffic: (‘Pikabot encrypts the data using the RC4 algorithm’ and uses byte swapping for N rounds).
[T1027] Obfuscated Files or Information – String and code obfuscation techniques are used (previously RC4+AES-CBC, now stack-based string construction and junk instructions): (‘string obfuscation’ and ‘junk code’).
[T1082] System Information Discovery – Pikabot collects host details for registration: (‘Pikabot collects information from the compromised host, such as: … Windows version … Hostname/username and operating system’s memory size’).
[T1112] Modify Registry – Network commands can write files and add registry entries using a configured value name: (‘Writes a file to disk and adds registry data using the value name specified in the configuration’).
[T1105] Ingress Tool Transfer – The bot downloads external payloads (PEs/shellcode) for injection and execution: (‘injects the code of a downloaded PE file’ and ‘injects the code of a downloaded shellcode’).
[T1497] Virtualization/Sandbox Evasion and Debugger Detection – Anti-debug and anti-sandbox checks are performed (PEB BeingDebugged, CheckRemoteDebuggerPresent, API hashing, delays, and language checks): (‘Reading the BeingDebugged flag from the PEB’ and ‘Calling the Microsoft Windows API function CheckRemoteDebuggerPresent’).

Indicators of Compromise

[SHA256] Pikabot sample (v1.8.32-beta) – 555687ca3149e23ee980a3acf578e0572da556cf34c87aecf48596834d6b496f, ca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d
[IP:Port] Command-and-Control servers – 104.129.55[.]103:2224, 178.18.246[.]136:2078, and 11 other servers listed in the report

Rewrite the entire article focusing only on the key points related to the technical procedure. Exclude unrelated or non-technical information. Present the rewritten version in a maximum of three well-structured paragraphs that improve clarity, flow, and reader engagement. Use fresh, natural wording and vary the sentence structure so it differs from the original, while preserving all essential technical details and the original meaning.

Pikabot is implemented as a two-stage Windows payload: a loader that decrypts and injects a core module, and the core which handles command execution and payload distribution. The 2024 samples (v1.8.32-beta) simplify prior heavy obfuscation—most strings are now constructed on the stack or occasionally protected by RC4 rather than the former RC4+AES-CBC combo—and continue to employ junk instructions, API-hash resolution, randomized execution delays, and active anti-debug checks (reading the PEB BeingDebugged flag and calling CheckRemoteDebuggerPresent). The malware also halts execution for Russian and Ukrainian locales, indicating environmental checks designed to limit exposure to local law enforcement.

Configuration handling and initialization were reworked: the entire bot configuration is loaded plaintext into a single global memory structure (then zeroed after parsing), API pointers are dynamically resolved, and a host-specific bot identifier is generated (sometimes failing to read the volume serial number due to a bug). For network operations, Pikabot registers the host to its HTTP-based C2 by sending a registration packet containing host metadata (OS/version, display settings, hostname/user, memory, process counts), a 32-byte session RC4 key, an unknown registry value name (used by command 0x246F), and a randomly selected swap-round count. The payload is RC4-encrypted, then encoded by performing N byte-swap rounds (N is randomly chosen 0–25), and transmitted via POST to a randomly selected URI; JSON has been removed and raw packet formats are used instead.

Once registered, Pikabot enters a continuous command loop. Incoming commands are prefixed by a task QWORD and include actions for polling (0x164), reporting results (0x555), registration (0x1291), beacon updates (0x1FED), termination (0x1A5A), writing files and registry entries (0x246F), executing system commands and returning output (0xACB and variants), injecting downloaded PE files (0x36C) or shellcode (0x792), and collecting detailed process information (0x985). Several command IDs are present but unimplemented, suggesting ongoing development; the combination of process injection, remote execution, and registry/file writes enables both persistence and further payload distribution.