Teacher
Professional
- Messages
- 2,670
- Reaction score
- 780
- Points
- 113
The developers have chosen the direction of their efforts to support PikaBot.
Zscaler ThreatLabZ specialists found significant changes in the PikaBot malware, which they described as a "transfer of authority" in the development of the virus. The new version, designated as 1.18.32, is undergoing development and testing, during which developers have significantly simplified the code structure by eliminating complex obfuscation methods and changes in network communications.
PikaBot, first recorded in May 2023, is a malware downloader and backdoor that allows you to execute commands and deliver payloads from the Command and Control server (C2), and also gives attackers control over the infected host.
Analysis of the new version of PikaBot showed that, despite the simplification of the code, developers continue to focus on obfuscation, using simpler encryption algorithms and inserting "garbage" code between valid instructions to make analysis more difficult. One of the key changes is that the entire bot configuration is now stored in clear text in a single block of memory, unlike the previous method, when each element was encrypted and decoded at runtime. We also changed the encryption commands and algorithm used to protect traffic with C2 servers.
The new version of PikaBot implies that the malware continues to pose a significant threat in the field of cybersecurity and is in constant development.
In November, Cofense discovered that the DarkGate and PikaBot malware was being distributed by cybercriminals using the same methods used in attacks using the QakBot Trojan, which was eliminated in August. DarkGate and PikaBot are capable of delivering additional loads to infected hosts, which makes them attractive to attackers. The similarity between PikaBot and QakBot was noted by analysts based on the same distribution methods, campaign, and malware behavior.
Zscaler ThreatLabZ specialists found significant changes in the PikaBot malware, which they described as a "transfer of authority" in the development of the virus. The new version, designated as 1.18.32, is undergoing development and testing, during which developers have significantly simplified the code structure by eliminating complex obfuscation methods and changes in network communications.
PikaBot, first recorded in May 2023, is a malware downloader and backdoor that allows you to execute commands and deliver payloads from the Command and Control server (C2), and also gives attackers control over the infected host.
Analysis of the new version of PikaBot showed that, despite the simplification of the code, developers continue to focus on obfuscation, using simpler encryption algorithms and inserting "garbage" code between valid instructions to make analysis more difficult. One of the key changes is that the entire bot configuration is now stored in clear text in a single block of memory, unlike the previous method, when each element was encrypted and decoded at runtime. We also changed the encryption commands and algorithm used to protect traffic with C2 servers.
The new version of PikaBot implies that the malware continues to pose a significant threat in the field of cybersecurity and is in constant development.
In November, Cofense discovered that the DarkGate and PikaBot malware was being distributed by cybercriminals using the same methods used in attacks using the QakBot Trojan, which was eliminated in August. DarkGate and PikaBot are capable of delivering additional loads to infected hosts, which makes them attractive to attackers. The similarity between PikaBot and QakBot was noted by analysts based on the same distribution methods, campaign, and malware behavior.
