The malicious backdoor Pikabot is modular, with a loader and a core component that implements most of the functionality. A number of anti-analysis techniques are employed, making it difficult to detect malicious activity.
The analysis found a similarity to Qakbot in terms of distribution mode, campaigns, and malware behavior, with no indication of whether they are the same malware authors. It is capable of receiving commands from a command-and-control server, which injects any shellcode, DLL, or executable file.
Malicious functionality
After the initial infection by the loader, the core module implements the malicious functionality, which includes the ability to execute arbitrary commands and inject the actual payload. It uses a code injector that decrypts the core module. They use a number of anti-analysis techniques, such as the Windows API function Beep to delay execution, the Windows API function CheckRemoteDebuggerPresent or reloading false libraries to detect sandboxes. In addition, system information such as memory or the number of processors is queried. In addition, the public tool ADVobfuscator is used to obfuscate important strings of the malware. If the anti-analysis tests fail, Pikabot will stop running.
When reloading the core modules, Pikabot proceeds as follows: First, a set of png images stored in the resources area is loaded. These are decoded by a bitwise XOR operation. Each of the images contains an encrypted part of the core module. A 32-byte key is used to decrypt the code via AES (CBC mode), with the first 16 bytes of the encrypted data being used as the initialization vector. After decrypting the main payload, the Pikabot injector creates a process over a data path, like WerFault, and injects the core module.
delay in execution
Similar to the injector, the core module also relies on additional anti-analysis checks, such as a “sleep function” to delay execution. This includes the API function NtContinue with a timer for activation. In addition to these tests, the language of the infected system is recorded. If one of the following languages is discovered, further execution is aborted: Georgian, Kazakh, Uzbek, Tajik, Russian, Ukrainian, Belarusian or Slovenian. Such an approach is often observed among threat actors from CIS countries to avoid prosecution. After the loading process is complete, Pikabot registers the compromised host on the command and control server using collected system information. Similar to other botnets, a unique identifier is created. When registration is complete, Pikabot starts its activity with queries to the server.
More at Zscaler.com
About Zscaler Zscaler accelerates digital transformation so customers can become more agile, efficient, resilient, and secure. Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting people, devices, and applications anywhere. The SSE-based Zero Trust Exchange is the world's largest inline cloud security platform, distributed across 150+ data centers around the world.