HQ/EMEAFind out how we can help your business
The newly discovered malware trojan, PikaBot, has displayed its capabilities to execute a wide range of malicious commands on a compromised device.
Researchers revealed they had dissected this modular malware they first identified earlier this year. Their investigation has also compared the new malware to the QakBot trojan since both malicious entities share the same distribution tactics.
Based on reports, the malware operates as a backdoor that contains a couple of primary components. The confirmed components of this malware are a loader and a core module. These tools could allow its operators to acquire unauthorised remote access to the infected systems.
The malware could also retrieve commands from an attacker-controlled command-and-control server. Some of these commands include the injection of arbitrary shellcodes, executable files, or DLLs to distribute other malicious weapons, such as Cobalt Strike.
The PikaBot malware starts its malicious operation by clearing its path and avoiding debuggers.
PikaBot deploys an injector to execute an anti-analysis check to identify debuggers after a successful infection. Moreover, the malware will also scan the infected machine of its breakpoints and system information before deploying the code module payload.
The malware also encrypts and stores its code module in PNG images that could inject into a specified process like WerFault. This strategy could allow inserting PikaBot’s setting to protect the injected process from unsigned Microsoft binaries. However, the Trojan self-terminates if it identifies that the infected system’s language is Tajik, Uzbek, Kazakh, or Georgian.
Experts claimed that Pikabot has an overlapping similarity with Matanbuchus. Both malware is written in C/C++, uses a core component split, extensively uses hard-coded strings, and employs JSON+Base64+crypto for traffic.
Furthermore, the two malware strains employ Base64 encoding, cryptographic methods for network communication, and JSON. These similarities strongly imply a potential connection between the two malicious software groups.
This month the researchers identified a couple of command-and-control servers with connections to PikaBot. However, researchers noticed that the newly discovered malware is in its development stage that could likely expand its attack scope soon.
Organisations should deploy detection tools to identify such malware strains in their infection stage to stay safe.
