PikaBot Malware

Infosec researchers have detected a highly sophisticated phishing campaign incorporating the PikaBot malware, marking it as the most advanced phishing operation since dismantling the Qakbot operation. This fraudulent email campaign commenced in September 2023, following the FBI's successful seizure and shutdown of QBot's (Qakbot) infrastructure.

According to researchers, before PikaBot, the attack campaign primarily utilized a threat called Dark Gate. The tricks and techniques employed by the attackers closely mirror those seen in previous Qakbot campaigns, suggesting a transition of Qbot threat actors to newer malware botnets.

Qbot was among the most widespread malware botnets disseminated via email. Now, DarkGate and PikaBot, which share numerous features with Qbot as modular malware loaders, present a significant threat to enterprises. Similar to Qbot, these new malware loaders are expected to be employed by threat actors to gain initial access to networks, potentially leading to ransomware, espionage and data theft attacks.

PikaBot is Delivered through Phishing Attacks

Infosec researchers have observed a significant surge in fraud-related emails propagating the DarkGate malware, with threat actors shifting to deploying PikaBot as the primary payload starting in October 2023. The phishing campaign initiates with an email masquerading as a reply or forward of a pilfered discussion thread, a tactic aimed at fostering trust among recipients.

Upon clicking the embedded URL, users undergo a series of checks to confirm their validity as targets, subsequently being prompted to download a ZIP archive housing a malware dropper. This dropper retrieves the final payload from a remote resource.

The attackers experimented with various initial malware droppers to determine effectiveness, including:

• A JavaScript dropper (JS Dropper) is designed for downloading and executing PEs or DLLs.
•  An Excel-DNA loader leveraging an open-source project intended for XLL file creation, exploited here for downloading and running malware.
•  VBS (Virtual Basic Script) downloaders capable of executing malware through .vbs files in Microsoft Office documents or invoking command-line executables.
•  LNK downloaders that misuse Microsoft shortcut files (.lnk) to download and execute malware.

Throughout September 2023, the DarkGate malware served as the final payload in these attacks, but it was subsequently replaced by PikaBot in October 2023.

PikaBot Has Extensive Anti-Analysis Measures

Introduced in early 2023, PikaBot is a contemporary malware comprising a loader and a core module, equipped with robust anti-debugging, anti-VM, and anti-emulation mechanisms. This malware meticulously profiles infected systems and transmits the gathered data to its command and control (C2) infrastructure, where it awaits further instructions.

The C2 issues commands directing the malware to download and execute modules, available in the form of DLL or PE files, shellcode, or command-line commands, showcasing its versatility as a tool.

Researchers caution that the PikaBot and DarkGate campaigns are orchestrated by adept threat actors whose skills surpass those of typical phishers. Consequently, organizations are urged to acquaint themselves with the Tactics, Techniques, and Procedures (TTPs) correlated with this campaign.