PikaBot Resurfaces with Streamlined Code and Deceptive Tactics

By neub9
2 Min Read

Feb 13, 2024


Cyber Threat / Malware

The developers of the PikaBot malware have simplified and made significant changes to the code in a recent update, a move described as “devolution.”

Zscaler ThreatLabz researcher Nikolaos Pantazopoulos stated that “the developers have reduced the complexity of the code by removing advanced obfuscation techniques and changing the network communications.” PikaBot, first discovered in May 2023, is a malware loader and a backdoor designed to execute commands and inject payloads from a command-and-control (C2) server, enabling the attacker to control the infected host.

The malware is known to cease execution if the system’s language is Russian or Ukrainian, indicating that the operators are likely based in Russia or Ukraine. PikaBot and another loader called DarkGate have emerged as attractive options for threat actors to gain initial access to target networks through phishing campaigns and drop Cobalt Strike.

Zscaler’s analysis of the latest version of PikaBot (version 1.18.32) revealed that the malware continues to focus on obfuscation, albeit with simpler encryption algorithms, and includes the insertion of junk code between valid instructions to resist analysis.

Additionally, the entire bot configuration is now stored in plaintext in a single memory block as opposed to encrypting each element and decoding them at runtime. The malware developers have also made changes to the C2 server network communications, tweaking the command IDs and the encryption algorithm used to secure the traffic.

According to researchers, the developers are making a conscious effort to simplify PikaBot’s code by removing advanced obfuscation features. The article also alerts of an ongoing cloud account takeover (ATO) campaign targeting Microsoft Azure environments, compromising hundreds of user accounts.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *