Pikabot is an advanced loader malware recently used by threat actor ‘Water Curupira’[1]. Researchers have identified similarities between Qakbot and Pikabot[2] with Pikabot appearing to replace Qakbot. As a result of this changeover there has been an increase in the phishing campaigns using Pikabot in the last quarter of 2023.
Pikabot appears to be deployed in the same way as Qakbot was, that is primarily delivered as a malicious attachment through opportunistic phishing campaigns. Once deployed Pikabot is typically used to further deploy second stage backdoors such as Cobalt Strike. Given the increasing prevalence of Pikabot over the last few months, organizations should ensure they are employing security solutions able to detect and mitigate this threat.
The Pikabot sample analyzed in this article (SHA1: d3bb0d4bf36e095c39fe1552a9440ecacec901d8) was delivered to the victim as an .IMG (disk image) file attached to a phishing email. It should be noted that FortiEDR was set up in "Log Only" mode for the investigation described in this article in order to show that it could detect malware at every step of its operation.
Figure 1. Pikabot attack diagram
When opened in Windows Explorer the ‘.IMG’ file is mounted and can be seen to contain a shortcut/link (.LNK) file with name ‘document.docx.lnk’ and a hidden ‘inf2.dll’ file (SHA1: 469567c2bf172c4e0d270b085ae9acaf0559c066). The link file uses double extension (document.docx.lnk) to lure user into thinking a word document is being opened (T1036.007 - Masquerading: Double File Extension). The content of ‘.IMG’ file and the ‘.LNK’ file can be observed in the following Figure 2. The content of the link file indicates that the DLL file will be executed using ‘rundll32.exe’ and function ‘Limit’ from DLL file would be called. This DLL file is unsigned but has file version information showing it as Microsoft Visual Studio Library file (T1036.001 - Masquerading: Invalid Code Signature).
Figure 2. Content of .IMG file showing two files and .LNK file
Analysis of this ‘inf2.dll’ file identified a total of 1515 exported functions with most of these functions not called at the time of execution. Fortunately, the .LNK file gives us the starting function, ‘Limit’, which will be called when the DLL is executed through rundll32. All the other dummy functions had names starting with ‘J’ or ‘J_’. These functions were likely added to slow down the reverse engineering process (T1027 – Obfuscated Files or Information). This can be observed in the screenshot of tool CFF explorer in Figure 3.
Figure 3. Dummy exported functions in inf2.dll and actual function ‘Limit’ which is called. Output from CFF explorer[3].
When the shortcut file is opened by victim it will execute the malicious ‘inf2.dll’ file using Windows utility ‘rundll32.exe’ with parameter ‘Limit’. FortiEDR detected the file as malicious based on its file signature and blocked the execution of the file. As demonstrated with previous KB articles, FortiEDR also includes ML and online sandboxing to detect files with similar characteristics to known malware, which allows FortiEDR to detect unknown variants of known malware, such as future iterations of Pikabot. We can observe the security event generated by FortiEDR as a result of this detection in following Figure 4.
Figure 4. FortiEDR detected and blocked execution of malicious Pikabot DLL file.
If allowed to execute, the malicious ‘inf2.dll’ file creates a suspended process of a Windows utility ‘SearchProtocolHost‘ (%system\SearchProtocolHost.exe) and injects own malicious code into this process, an example of a technique called process hollowing (T1055 – Process Injection: Process Hollowing). The injected executable file (SHA1: C1EC265FF537D52162E6D5243D70CD2325360E49) was dumped using the FortiEDR forensics retrieve feature and is identified as a Pikabot executable. Once executed in the hollowed ‘SearchProtocolHost.exe’ process, the Pikabot executable executes the following commands for discovery within an infected endpoint:
whoami.exe /all
ipconfig.exe /all
netstat.exe -aon
The command execution can be observed in the Threat Hunting data of FortiEDR as shown in the Figure 5 below:
Figure 5. FortiEDR Threat Hunting page showing commands executed by hollowed process SearchProtocolHost.exe
After collecting information from the above commands, the hollowed ‘SearchProtocolHost.exe’ process communicates to multiple IP addresses via HTTP requests to share collected information form the previous commands. FortiEDR detects these network connections as malicious and blocks them. The associated security event generated by FortiEDR can be observed in Figure 5 and related threat hunting telemetry associated with these requests can be observed in Figure 6.
Figure 6. FortiEDR blocks malicious C2 communications from Pikabot
The hollowed ‘ SearchProtocolHost.exe‘ process communicated with following seven URLs following execution of the Pikabot sample:
http[:]//158.247.253[.]155:2225
http[:]//137.220.55[.]190:2223
http[:]//154.61.75[.]156:2078
http[:]//154.92.19[.]139:2222
http[:]//172.233.156[.]100:1372
http[:]//70.34.209[.]101:1372
http[:]//139.180.216[.]25:2967
These malicious connections can be observed in the Threat Hunting section of the FortiEDR as shown in the Figure 7 below:
Figure 7. Pikabot connection attempts to C2 server recorded in FortiEDR Threat Hunting data.
When we checked these URLs in the FortiGuard Central Threat System (CTS) all of them were found to be known Pikabot C2 servers. Associated CTS data can be observed in Figure 8.
Figure 8. CTS results showing URLs blocked by FortiEDR are linked to known Pikabot C2 URLs.
FortiEDR is able to detect and mitigate the execution of Pikabot malware. The Pikabot malware analyzed in this report was blocked at initial execution as were subsequent C2 communication attempts. FortiEDR was also able to identify the process hollowing activity performed as part of the infection, effectively isolating the hollowed ‘SearchProtocolHost.exe’ process and preventing further malicious behavior. The executable code injected as part of this process hollowing activity was readily retrieved through FortiEDR using forensics functions and was able to be used to support analysis as part of this article.
Note that throughout this analysis, FortiEDR was configured in ‘Log Only’ mode to demonstrate detection capabilities against malicious execution. In ‘Prevention Mode’ all detected activity will be blocked by associated policies. Some useful threat hunting queries are provided in the next section to help with proactive threat hunting activity.
The following Threat Hunting query returns Process Creation events where ‘rundll32.exe’ file is executed with parameters ‘inf2.dll, Limit’ which match with the command line arguments provided by the analyzed Pikabot .LNK file.
Type: ("Process Creation") AND Target.Process.File.Name: ("rundll32.exe") AND Target.Process.CommandLine: ("inf2.dll,Limit")
The following Threat Hunting query will return Process Creation events where the process ‘SearchProtocolHost.exe’ was created by ‘rundll32.exe’. This is highly anomalous behavior.
Type: ("Process Creation") AND Target.Process.File.Name: ("SearchProtocolHost.exe") AND Source.Process.Name: ("rundll32.exe")
The following Threat Hunting query will return Process Creation events where the process ‘SearchProtocolHost.exe’ executes command ‘whoami.exe’ with parameter ‘/all’. This is highly anomalous behavior.
Type: ("Process Creation") AND Source.Process.Name: ("SearchProtocolHost.exe") AND Target.Process.File.Name: ("whoami.exe") AND Target.Process.CommandLine: ("\/all")
The following Threat Hunting query will return Process Creation events where the process ‘SearchProtocolHost.exe’ executes command ‘ipconfig.exe’ with parameter “/all”. This is highly anomalous behavior.
Type: ("Process Creation") AND Source.Process.Name: ("SearchProtocolHost.exe") AND Target.Process.File.Name: ("ipconfig.exe") AND Target.Process.CommandLine: ("\/all")
The following Threat Hunting query will return Process Creation events where the process ‘SearchProtocolHost.exe’ executes command ‘NETSTAT.EXE’ with parameter ‘-aon’. This is highly anomalous behavior.
Type: ("Process Creation") AND Source.Process.Name: ("SearchProtocolHost.exe") AND Target.Process.File.Name: ("NETSTAT.EXE") AND Target.Process.CommandLine: ("\-aon")
The following Threat Hunting query will return HTTP Request events where the process ‘SearchProtocolHost.exe’ performs HTTP requests to any one of these known Pikabot C2 URLs. Please note that these URLs might change in future campaigns and the query will need to be updated in that scenario.
Type: ("HTTP Request") AND Source.Process.Name: ("SearchProtocolHost.exe") AND URL: ("http\:\/\/158.247.253.155\:2225" OR "http\:\/\/137.220.55.190\:2223" OR "http\:\/\/154.61.75.156\:2078" OR "http\:\/\/154.92.19.139\:2222" OR "http\:\/\/172.233.156.100\:13721" OR "http\:\/\/70.34.209.101\:1372" OR "http\:\/\/139.180.216.25\:2967")
The following Threat Hunting query will return “Socket Connect” events where the Remote IP address matches one of the C2 IP address and ports which were connected by the malware.
Type: ("Socket Connect") AND RemoteIP: ("158.247.253.155" OR "137.220.55.190" OR "154.61.75.156" OR "154.92.19.139" OR "172.233.156.100" OR "70.34.209.101" OR "139.180.216.25") AND RemotePort: ("2225" OR "2223" OR "2078" OR "2222" OR "13721" OR "1372" OR "2967")
Note: The indicators in observed activity for each MITRE technique are relevant to analyzed campaigns and may change in future campaigns.
TA0002 - Execution
Technique ID |
Technique Description |
Observed Activity |
T1204.002 |
User Execution: Malicious File |
The Pikabot sends .IMG file to victim and tried to lure victim in mounting IMG file and open the .LNK file inside the .IMG file to infect the victim. |
TA0005 - Defense Evasion
Technique ID |
Technique Description |
Observed Activity |
T1218.011 |
System Binary Proxy Execution: Rundll32 |
Pikabot executes its payload which is DLL file via Windows rundll32.exe. In this scenario rundll32.exe will spawn from the Windows Explorer process. |
T1055.012 |
Process Injection: Process Hollowing |
Pikabot malware executes SearchProtocolHost.exe in suspended state and inject its code to this process. |
T1553.005 |
Subvert Trust Controls: Mark-of-the-Web Bypass |
The Pikabot sends .IMG file to victim and tried to lure victim in mounting IMG file and open the .LNK file inside the .IMG file to infect the victim. |
T1027 |
Obfuscated Files or Information |
Pikabot uses a malicious DLL file for execution, this file had more than 1000 dummy exported functions to delay reverse engineering. |
T1036.001 |
Masquerading: Invalid Code Signature |
The Pikabot DLL file is unsigned but have file version information showing it as Microsoft Visual Studio Library file. |
T1036.007 |
Masquerading: Double File Extension |
The .IMG file contains file with double extension (document.docx.lnk) to lure user into thinking that user is opening word document. |
TA0007 - Discovery
Technique ID |
Technique Description |
Observed Activity |
T1082 |
System Information Discovery |
Pikabot performs process hollowing on SearchProtocolHost.exe and the injected executable performs system information discovery by spawning child cmd processes to execute whoami, ipconfig and netstat commands. |
TA0011 - Command and Control
Technique ID |
Technique Description |
Observed Activity |
T1571 |
Non-Standard Port |
Pikabot uses unusual ports such as 13720,2223,2967,2078 etc. for its C2 communication. This communication is through http web requests to these ports. |
T1071.001 |
Application Layer Protocol: Web Protocols |
Pikabot sends http requests in its C2 communication |
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
Malicious .IMG File |
D3BB0D4BF36E095C39FE1552A9440ECACEC901D8 |
SHA1 Hash |
Installation |
.IMG file containing Pikabot |
2023-11-21 |
Malicious Executable |
3CD3750507971E8F9EEF55249E5B2646855652C6 |
SHA1 Hash |
Installation |
.LNK file which reside in .IMG file |
2023-11-21 |
Malicious Executable |
469567C2BF172C4E0D270B085AE9ACAF0559C066 |
SHA1 Hash |
Installation |
Malicious DLL file inside .IMG file |
2023-11-21 |
Malicious URL |
http[:]//158.247.253[.]155:2225 |
URL |
C2 Communication |
C2 URL of Pikabot |
2023-11-21 |
Malicious URL |
http[:]//137.220.55[.]190:2223 |
URL |
C2 Communication |
C2 URL of Pikabot |
2023-11-21 |
Malicious URL |
http[:]//154.61.75[.]156:2078 |
URL |
C2 Communication |
C2 URL of Pikabot |
2023-10-26 |
Malicious URL |
http[:]//154.92.19[.]139:2222 |
URL |
C2 Communication |
C2 URL of Pikabot |
2023-10-23 |
Malicious URL |
http[:]//172.233.156[.]100:1372 |
URL |
C2 Communication |
C2 URL of Pikabot |
2024-01-01 |
Malicious URL |
http[:]//139.180.216[.]25:2967 |
URL |
C2 Communication |
C2 URL of Pikabot |
2023-11-21 |
[1] https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html
[2] https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.