Pikabot is a backdoor used for initial access and follow-on tool deployment active since early 2023. Pikabot is notable for extensive use of multiple encoding, encryption, and defense evasion mechanisms to evade defenses and avoid analysis. Pikabot has some overlaps with QakBot, but insufficient evidence exists to definitively link these two malware families. Pikabot is frequently used to deploy follow on tools such as Cobalt Strike or ransomware variants.[1][2][3]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
Pikabot will retrieve the name of the user associated with the thread under which the malware is executing.[2] |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Pikabot maintains persistence following system checks through the Run key in the registry.[1] |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Pikabot uses base64 encoding in conjunction with symmetric encryption mechanisms to obfuscate command and control communications.[1][2] |
Enterprise | T1622 | Debugger Evasion |
Pikabot features several methods to evade debugging by analysts, including checks for active debuggers, the use of breakpoints during execution, and checking various system information items such as system memory and the number of processors.[1][2][3] |
|
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Pikabot decrypts command and control URIs using ADVobfuscator, and decrypts IP addresses and port numbers with a custom algorithm.[1] Other versions of Pikabot decode chunks of stored stage 2 payload content in the initial payload |
|
Enterprise | T1482 | Domain Trust Discovery |
Pikabot will gather information concerning the Windows Domain the victim machine is a member of during execution.[2] |
|
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Earlier Pikabot variants use a custom encryption procedure leveraging multiple mechanisms including AES with multiple rounds of Base64 encoding for its command and control communication.[1] Later Pikabot variants eliminate the use of AES and instead use RC4 encryption for transmitted information.[2] |
Enterprise | T1480 | .001 | Execution Guardrails: Environmental Keying |
Pikabot stops execution if the infected system language matches one of several languages, with various versions referencing: Georgian, Kazakh, Uzbek, Tajik, Russian, Ukrainian, Belarussian, and Slovenian.[1][2] |
Enterprise | T1041 | Exfiltration Over C2 Channel |
During the initial Pikabot command and control check-in, Pikabot will transmit collected system information encrypted using RC4.[2] |
|
Enterprise | T1106 | Native API |
Pikabot uses native Windows APIs to determine if the process is being debugged and analyzed, such as |
|
Enterprise | T1571 | Non-Standard Port |
Pikabot uses non-standard ports, such as 2967, 2223, and others, for HTTPS command and control communication.[2] |
|
Enterprise | T1027 | .003 | Obfuscated Files or Information: Steganography |
Pikabot loads a set of PNG images stored in the malware's resources section (RCDATA), each with an encrypted section containing portions of the core Pikabot core module. These sections are loaded and decrypted using a bitwise XOR operation with a hardcoded 32 bit key.[1] |
.009 | Obfuscated Files or Information: Embedded Payloads |
Pikabot further decrypts information embedded via steganography using AES-CBC with the same 32 bit key as initial XOR operations combined with the first 16 bytes of the encrypted data as an initialization vector.[1] Other Pikabot variants include encrypted, chunked sections of the stage 2 payload in the initial loader |
||
.011 | Obfuscated Files or Information: Fileless Storage |
Some versions of Pikabot build the final PE payload in memory to avoid writing contents to disk on the executing machine.[2] |
||
Enterprise | T1055 | .002 | Process Injection: Portable Executable Injection |
Pikabot, following payload decryption, creates a process hard-coded into the dropped (e.g., WerFault.exe) and injects the decrypted core modules into it.[1] |
.003 | Process Injection: Thread Execution Hijacking |
Pikabot can create a suspended instance of a legitimate process (e.g., ctfmon.exe), allocate memory within the suspended process corresponding to Pikabot's core module, then redirect execution flow via |
||
Enterprise | T1620 | Reflective Code Loading |
Pikabot reflectively loads stored, previously encrypted components of the PE file into memory of the currently executing process to avoid writing content to disk on the executing machine.[2] |
|
Enterprise | T1082 | System Information Discovery |
Pikabot performs a variety of system checks and gathers system information, including commands such as |
|
Enterprise | T1016 | System Network Configuration Discovery |
Pikabot gathers victim network information through commands such as |
|
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Pikabot performs a variety of system checks to determine if it is running in an analysis environment or sandbox, such as checking the number of processors (must be greater than two), and the amount of RAM (must be greater than 2GB).[2] |
ID | Name | Description |
---|---|---|
C0036 | Pikabot Distribution February 2024 |
Pikabot Distribution February 2024 distributed Pikabot for initial access purposes in February 2024.[2][5] |
C0037 | Water Curupira Pikabot Distribution |
Water Curupira Pikabot Distribution distributed Pikabot as an initial access mechanism.[6] |