1. Home
  2. Campaigns
  3. Pikabot Distribution February 2024

Pikabot Distribution February 2024

Pikabot was distributed in Pikabot Distribution February 2024 using malicious emails with embedded links leading to malicious ZIP archives requiring user interaction for follow-on infection. The version of Pikabot distributed featured significant changes over the 2023 variant, including reduced code complexity and simplified obfuscation mechanisms.[1][2]

ID: C0036
First Seen:  February 2024 [1]
Last Seen:  February 2024 [1]
Contributors: Inna Danilevich, U.S. Bank
Version: 1.0
Created: 17 July 2024
Last Modified: 28 October 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Pikabot Distribution February 2024 passed execution from obfuscated JavaScript files to PowerShell scripts to download and install Pikabot.[1]
.007 Command and Scripting Interpreter: JavaScript

Pikabot Distribution February 2024 utilized obfuscated JavaScript files for initial Pikabot payload download.[1]
Enterprise T1574 Hijack Execution Flow

Pikabot Distribution February 2024 utilized a tampered legitimate executable, grepWinNP3.exe, for its first stage Pikabot loader, modifying the open-source tool to execute malicious code when launched.[1]
Enterprise T1566 .002 Phishing: Spearphishing Link

Pikabot Distribution February 2024 utilized emails with hyperlinks leading to malicious ZIP archive files containing scripts to download and install Pikabot.[1]

Software

ID Name Description
S1145 Pikabot

Pikabot Distribution February 2024 distributed Pikabot for initial access purposes in February 2024.[1][2]

References

  1. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  1. Nikolaos Pantazopoulos. (2024, February 12). The (D)Evolution of Pikabot. Retrieved July 17, 2024.