Introduction

Pikabot is an advanced loader malware recently used by threat actor ‘Water Curupira’[1]. Researchers have identified similarities between Qakbot and Pikabot[2] with Pikabot appearing to replace Qakbot. As a result of this changeover there has been an increase in the phishing campaigns using Pikabot in the last quarter of 2023.

Pikabot appears to be deployed in the same way as Qakbot was, that is primarily delivered as a malicious attachment through opportunistic phishing campaigns. Once deployed Pikabot is typically used to further deploy second stage backdoors such as Cobalt Strike. Given the increasing prevalence of Pikabot over the last few months, organizations should ensure they are employing security solutions able to detect and mitigate this threat.

 

The Pikabot sample analyzed in this article (SHA1: d3bb0d4bf36e095c39fe1552a9440ecacec901d8) was delivered to the victim as an .IMG (disk image) file attached to a phishing email. It should be noted that FortiEDR was set up in "Log Only" mode for the investigation described in this article in order to show that it could detect malware at every step of its operation.

 

Attack Diagram

 

Figure 1. Pikabot attack diagram

 

Analysis

 When opened in Windows Explorer the ‘.IMG’ file is mounted and can be seen to contain a shortcut/link (.LNK) file with name ‘document.docx.lnk’ and a hidden ‘inf2.dll’ file (SHA1: 469567c2bf172c4e0d270b085ae9acaf0559c066). The link file uses double extension (document.docx.lnk) to lure user into thinking a word document is being opened (T1036.007 - Masquerading: Double File Extension). The content of ‘.IMG’ file and the ‘.LNK’ file can be observed in the following Figure 2. The content of the link file indicates that the DLL file will be executed using ‘rundll32.exe’ and function ‘Limit’ from DLL file would be called. This DLL file is unsigned but has file version information showing it as Microsoft Visual Studio Library file (T1036.001 - Masquerading: Invalid Code Signature).

 

Figure 2. Content of .IMG file showing two files and .LNK file

 

Analysis of this ‘inf2.dll’ file identified a total of 1515 exported functions with most of these functions not called at the time of execution. Fortunately, the .LNK file gives us the starting function, ‘Limit’, which will be called when the DLL is executed through rundll32. All the other dummy functions had names starting with ‘J’ or ‘J_’. These functions were likely added to slow down the reverse engineering process (T1027 – Obfuscated Files or Information). This can be observed in the screenshot of tool CFF explorer in Figure 3.

 

Figure 3. Dummy exported functions in inf2.dll and actual function ‘Limit’ which is called. Output from CFF explorer[3].

 

When the shortcut file is opened by victim it will execute the malicious ‘inf2.dll’ file using Windows utility ‘rundll32.exe’ with parameter ‘Limit’. FortiEDR detected the file as malicious based on its file signature and blocked the execution of the file. As demonstrated with previous KB articles, FortiEDR also includes ML and online sandboxing to detect files with similar characteristics to known malware, which allows FortiEDR to detect unknown variants of known malware, such as future iterations of Pikabot. We can observe the security event generated by FortiEDR as a result of this detection in following Figure 4.

 

Figure 4. FortiEDR detected and blocked execution of malicious Pikabot DLL file.

 

If allowed to execute, the malicious ‘inf2.dll’ file creates a suspended process of a Windows utility ‘SearchProtocolHost‘ (%system\SearchProtocolHost.exe) and injects own malicious code into this process, an example of a technique called process hollowing (T1055 – Process Injection: Process Hollowing). The injected executable file (SHA1: C1EC265FF537D52162E6D5243D70CD2325360E49) was dumped using the FortiEDR forensics retrieve feature and is identified as a Pikabot executable.  Once executed in the hollowed ‘SearchProtocolHost.exe’ process, the Pikabot executable executes the following commands for discovery within an infected endpoint:

 

 

 

whoami.exe /all

ipconfig.exe /all

netstat.exe -aon

 

 

 

 

The command execution can be observed in the Threat Hunting data of FortiEDR as shown in the Figure 5 below:

Figure 5. FortiEDR Threat Hunting page showing commands executed by hollowed process SearchProtocolHost.exe

 

After collecting information from the above commands, the hollowed ‘SearchProtocolHost.exe’ process communicates to multiple IP addresses via HTTP requests to share collected information form the previous commands. FortiEDR detects these network connections as malicious and blocks them. The associated security event generated by FortiEDR can be observed in Figure 5 and related threat hunting telemetry associated with these requests can be observed in Figure 6.

 

Figure 6. FortiEDR blocks malicious C2 communications from Pikabot

The hollowed ‘ SearchProtocolHost.exe‘ process communicated with following seven URLs following execution of the Pikabot sample:

 

 

 

http[:]//158.247.253[.]155:2225

http[:]//137.220.55[.]190:2223

http[:]//154.61.75[.]156:2078

http[:]//154.92.19[.]139:2222

http[:]//172.233.156[.]100:1372

http[:]//70.34.209[.]101:1372

http[:]//139.180.216[.]25:2967

 

 

 

 

 

These malicious connections can be observed in the Threat Hunting section of the FortiEDR as shown in the Figure 7 below:

 

Figure 7. Pikabot connection attempts to C2 server recorded in FortiEDR Threat Hunting data.

 

When we checked these URLs in the FortiGuard Central Threat System (CTS) all of them were found to be known Pikabot C2 servers. Associated CTS data can be observed in Figure 8.

Figure 8. CTS results showing URLs blocked by FortiEDR are linked to known Pikabot C2 URLs.

 

Conclusion

FortiEDR is able to detect and mitigate the execution of Pikabot malware. The Pikabot malware analyzed in this report was blocked at initial execution as were subsequent C2 communication attempts. FortiEDR was also able to identify the process hollowing activity performed as part of the infection, effectively isolating the hollowed ‘SearchProtocolHost.exe’ process and preventing further malicious behavior. The executable code injected as part of this process hollowing activity was readily retrieved through FortiEDR using forensics functions and was able to be used to support analysis as part of this article.

Note that throughout this analysis, FortiEDR was configured in ‘Log Only’ mode to demonstrate detection capabilities against malicious execution. In ‘Prevention Mode’ all detected activity will be blocked by associated policies. Some useful threat hunting queries are provided in the next section to help with proactive threat hunting activity.

 

Threat Hunting

The following Threat Hunting query returns Process Creation events where ‘rundll32.exe’ file is executed with parameters ‘inf2.dll, Limit’ which match with the command line arguments provided by the analyzed Pikabot .LNK file.

 

 

 

Type: ("Process Creation") AND Target.Process.File.Name: ("rundll32.exe") AND Target.Process.CommandLine: ("inf2.dll,Limit")

 

 

 

 

The following Threat Hunting query will return Process Creation events where the process ‘SearchProtocolHost.exe’ was created by ‘rundll32.exe’. This is highly anomalous behavior.

 

 

 

Type: ("Process Creation") AND Target.Process.File.Name: ("SearchProtocolHost.exe") AND Source.Process.Name: ("rundll32.exe")

 

 

 

 

The following Threat Hunting query will return Process Creation events where the process ‘SearchProtocolHost.exe’ executes command ‘whoami.exe’ with parameter ‘/all’. This is highly anomalous behavior.

 

 

 

Type: ("Process Creation") AND Source.Process.Name: ("SearchProtocolHost.exe") AND Target.Process.File.Name: ("whoami.exe") AND Target.Process.CommandLine: ("\/all")

 

 

 

 

The following Threat Hunting query will return Process Creation events where the process ‘SearchProtocolHost.exe’ executes command ‘ipconfig.exe’ with parameter “/all”. This is highly anomalous behavior.

 

 

 

Type: ("Process Creation") AND Source.Process.Name: ("SearchProtocolHost.exe") AND Target.Process.File.Name: ("ipconfig.exe") AND Target.Process.CommandLine: ("\/all")

 

 

 

 

The following Threat Hunting query will return Process Creation events where the process ‘SearchProtocolHost.exe’ executes command ‘NETSTAT.EXE’ with parameter ‘-aon’. This is highly anomalous behavior.

 

 

 

Type: ("Process Creation") AND Source.Process.Name: ("SearchProtocolHost.exe") AND Target.Process.File.Name: ("NETSTAT.EXE") AND Target.Process.CommandLine: ("\-aon")

 

 

 

 

The following Threat Hunting query will return HTTP Request events where the process ‘SearchProtocolHost.exe’ performs HTTP requests to any one of these known Pikabot C2 URLs. Please note that these URLs might change in future campaigns and the query will need to be updated in that scenario.

 

 

 

Type: ("HTTP Request") AND Source.Process.Name: ("SearchProtocolHost.exe") AND URL: ("http\:\/\/158.247.253.155\:2225" OR "http\:\/\/137.220.55.190\:2223" OR "http\:\/\/154.61.75.156\:2078" OR "http\:\/\/154.92.19.139\:2222" OR      "http\:\/\/172.233.156.100\:13721" OR "http\:\/\/70.34.209.101\:1372" OR "http\:\/\/139.180.216.25\:2967")

 

 

 

 

The following Threat Hunting query will return “Socket Connect” events where the Remote IP address matches one of the C2 IP address and ports which were connected by the malware.

 

 

 

Type: ("Socket Connect") AND RemoteIP: ("158.247.253.155" OR "137.220.55.190" OR "154.61.75.156" OR "154.92.19.139" OR    "172.233.156.100" OR "70.34.209.101" OR "139.180.216.25") AND RemotePort: ("2225" OR "2223" OR "2078" OR "2222" OR "13721" OR "1372" OR "2967")

 

 

 

 

MITRE ATT&CK

Note: The indicators in observed activity for each MITRE technique are relevant to analyzed campaigns and may change in future campaigns.

 

 TA0002 - Execution

Technique ID	Technique Description	Observed Activity
T1204.002	User Execution: Malicious File	The Pikabot sends .IMG file to victim and tried to lure victim in mounting IMG file and open the .LNK file inside the .IMG file to infect the victim.

 

 

TA0005 - Defense Evasion

Technique ID	Technique Description	Observed Activity
T1218.011	System Binary Proxy Execution: Rundll32	Pikabot executes its payload which is DLL file via Windows rundll32.exe. In this scenario rundll32.exe will spawn from the Windows Explorer process.
T1055.012	Process Injection: Process Hollowing	Pikabot malware executes SearchProtocolHost.exe in suspended state and inject its code to this process.
T1553.005	Subvert Trust Controls: Mark-of-the-Web Bypass	The Pikabot sends .IMG file to victim and tried to lure victim in mounting IMG file and open the .LNK file inside the .IMG file to infect the victim.
T1027	Obfuscated Files or Information	Pikabot uses a malicious DLL file for execution, this file had more than 1000 dummy exported functions to delay reverse engineering.
T1036.001	Masquerading: Invalid Code Signature	The Pikabot DLL file is unsigned but have file version information showing it as Microsoft Visual Studio Library file.
T1036.007	Masquerading: Double File Extension	The .IMG file contains file with double extension (document.docx.lnk) to lure user into thinking that user is opening word document.

 

TA0007 - Discovery

Technique ID	Technique Description	Observed Activity
T1082	System Information Discovery	Pikabot performs process hollowing on SearchProtocolHost.exe and the injected executable performs system information discovery by spawning child cmd processes to execute whoami, ipconfig and netstat commands.

 

TA0011 - Command and Control      

Technique ID	Technique Description	Observed Activity
T1571	Non-Standard Port	Pikabot uses unusual ports such as 13720,2223,2967,2078 etc. for its C2 communication. This communication is through http web requests to these ports.
T1071.001	Application Layer Protocol: Web Protocols	Pikabot sends http requests in its C2 communication

 

IOC

Indicator Description	Indicator	Indicator Type	Associated Tactic	Notes	First Observed
Malicious .IMG File	D3BB0D4BF36E095C39FE1552A9440ECACEC901D8	SHA1 Hash	Installation	.IMG file containing Pikabot	2023-11-21
Malicious Executable	3CD3750507971E8F9EEF55249E5B2646855652C6	SHA1 Hash	Installation	.LNK file which reside in .IMG file	2023-11-21
Malicious Executable	469567C2BF172C4E0D270B085AE9ACAF0559C066	SHA1 Hash	Installation	Malicious DLL file inside .IMG file	2023-11-21
Malicious URL	http[:]//158.247.253[.]155:2225	URL	C2 Communication	C2 URL of Pikabot	2023-11-21
Malicious URL	http[:]//137.220.55[.]190:2223	URL	C2 Communication	C2 URL of Pikabot	2023-11-21
Malicious URL	http[:]//154.61.75[.]156:2078	URL	C2 Communication	C2 URL of Pikabot	2023-10-26
Malicious URL	http[:]//154.92.19[.]139:2222	URL	C2 Communication	C2 URL of Pikabot	2023-10-23
Malicious URL	http[:]//172.233.156[.]100:1372	URL	C2 Communication	C2 URL of Pikabot	2024-01-01
Malicious URL	http[:]//139.180.216[.]25:2967	URL	C2 Communication	C2 URL of Pikabot	2023-11-21

 

 

[1] https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html

[2] https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/

[3] https://ntcore.com/?page_id=388