PikaBot Returns: Malware Loader Sheds Complexity in New Attacks

Experts at Zscaler ThreatLabz have identified significant modifications in the functionality of the malicious software PikaBot. The new version, labeled 1.18.32, is currently undergoing a development and testing phase, during which the developers have notably streamlined the code’s structure by abandoning complex obfuscation methods and altering network communications.

First identified in May 2023, PikaBot functions as a malware loader and backdoor, facilitating the execution of commands and the delivery of payloads from a Command and Control (C2) server, thereby granting malefactors control over the infected host.

The analysis of PikaBot’s new version revealed that despite the simplification of the code, developers continue to focus on obfuscation, employing simpler encryption algorithms and interspersing “junk” code among legitimate instructions to complicate analysis. A pivotal change is that the entire bot configuration is now stored openly in a single memory block, diverging from the previous method where each element was encrypted and decoded at runtime. Additionally, the commands and encryption algorithms used to secure traffic with C2 servers have been modified.

This iteration of PikaBot suggests that the malware remains a significant cyber security threat and is in continuous evolution.

In November, Cofense discovered that the malicious programs DarkGate and PikaBot are being disseminated by cybercriminals using the same methods as those employed in attacks featuring the QakBot trojan, which was neutralized in August. DarkGate and PikaBot are capable of delivering additional payloads to infected hosts, rendering them appealing to malefactors. Analysts have noted the resemblance between PikaBot and QakBot, based on identical distribution methods, campaigns, and malicious behaviors.