Technical Analysis Strings obfuscation The steps for decrypting a Pikabot string are relatively simple. Each string is decrypted only when required (in other words, Pikabot does not decrypt all strings at once). Pikabot follows the steps below to decrypt a string: Pushes on the stack the encrypted string array. Initializes the RC4 encryption algorithm. The […]
PikaBot, along with other malicious loaders like QBot and DarkGate, heavily depends on spam campaigns for distribution. Its initial access strategies are intricately crafted, utilizing geographically targeted spam emails for specific countries.
Feb 13, 2024NewsroomCyber Threat / Malware The threat actors behind the PikaBot malware have made significant changes to the malware in what has been described as a case of “devolution.” “Although it appears to be in a new development cycle and testing phase, the developers have reduced the complexity of the code by removing advanced […]
Trend Micro observed the Water Curupira actively propagating the Pikabot loader malware as part of campaigns, more aggressively in Q4 2023. Water Curupira is a Black Basta ransomware affiliate. Diving into Details Pikabot gained notoriety for its sophisticated multi-stage attack mechanism, capable of deploying a decrypted shellcode that extracts another DLL file, the actual payload. […]
Pikabot seems to have a binary version and a campaign ID. The keys 0fwlm4g and v2HLF5WIO are present in the JSON data, with the latter seemingly being a campaign ID. The malware creates a named pipe and uses it to temporarily store the additional information gathered by creating the following processes: whoami.exe /all ipconfig.exe /all […]
Dec 19, 2023NewsroomMalvertising / Browser Security The malware loader known as PikaBot is being distributed as part of a malvertising campaign targeting users searching for legitimate software like AnyDesk. “PikaBot was previously only distributed via malspam campaigns similarly to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577,” […]