Researchers have dissected a new modular malware trojan, dubbed Pikabot, that can execute a diverse range of malicious commands. The trojan was first discovered in early 2023 and is believed to share similarities with the QakBot trojan, including distribution methods. 

About PikaBot

Pikabot operates as a backdoor, which consists of two main components: a loader and a core module. It enables unauthorized remote access to compromised systems. 
The malware also receives commands from a C2 server, which ranges from injecting arbitrary shellcode, DLLs, or executable files, to distributing other malicious tools such as Cobalt Strike. 

Modus operandi

  • Once executed, Pikabot deploys an injector to run anti-analysis tests to check for debuggers, breakpoints, and system information before injecting the core module payload.
  • The core module is encrypted and stored in PNG images that are injected into a specified process such as WerFault, with Pikabot setting specific flags to protect the injected process from non-signed Microsoft binaries.
  • The trojan self-terminates if the system’s language is Georgian, Kazakh, Uzbek, or Tajik.
 
Similarities with other malware
There are also striking similarities between Pikabot and Matanbuchus: 

  • Both are written in C/C++, employ JSON+Base64+crypto for traffic, utilize a core component split, and extensively use hard-coded strings.
  • Moreover, both malware families employ JSON, Base64 encoding, and cryptographic methods for network communication, while extensively relying on hardcoded strings. 

These resemblances strongly suggest a potential link between the two malicious software groups.

Conclusion

With the June 2023 update, researchers detected two new C2 servers connected with Pikabot. However, the trojan appears to be in the early stages of development and is likely to expand its attack scope in the future. To stay safe, organizations must deploy the necessary detection tools to root out malware in the initial stage.


Cyware Publisher

Publisher

Cyware