Pikabot returns with an ace up its sleeve: News in its attack strategy

Pikabot is a loader, a type of malware designed to be the delivery vehicle for other types of malwares. It made its first appearance in early 2023 and has since been used by various threat actors to spread threats such as Cobalt Strike or different forms of ransomware.

Following the disruption of the Qakbot botnet, Pikabot emerged as an alternative and became especially active in the second half of 2023. Initially, it was distributed through malspam and malvertising campaigns promoting legitimate software such as AnyDesk, Slack, and Zoom.

However, its activity stopped in December 2023, due to the resurgence of an updated version of QakBot. Now, it’s back with significant modifications to its code and approach.

Researchers at Elastic Security Labs have detected a new Pikabot campaign, which began on February 8, 2024, using phishing emails as an initial access method.

These emails contain links that digest ZIP files containing obfuscated JavaScript code. Once executed, the code uses PowerShell to download and run the Pikabot loader.

Analysis of the Pikabot loader by Elastic Security Labs and Zscaler reveals several differences from previous versions of the malware:

  • Simplified encryption algorithms, with fewer inline RC4 functions.
  • Anti-debugging methods to bypass detection.
  • Bot configuration is presented in plain text at runtime, eliminating JSON formatting.
  • AES is no longer used in network communications.

Pikabot vuelve con un as bajo la manga: Novedades en su estrategia de ataque

“The design decisions in this latest version are intriguing and could mark the beginning of a new phase of development. Although the functionality is like previous versions, commented the researchers at Elastic Security Labs.

The return of Pikabot highlights the constantly evolving cyber threat landscape, underscoring the need for continuous vigilance and agile adaptation in cybersecurity strategies.

Related Posts
Clear Filters
Devel Group
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.