In what has been referred to as a case of “devolution,” the threat actors responsible for the PikaBot malware have significantly altered the malware.
According to Zscaler ThreatLabz researcher Nikolaos Pantazopoulos, the developers have changed the network communications and removed sophisticated obfuscation techniques, despite the fact that the code appears to be in a new development cycle and testing phase.
A malware loader and backdoor called PikaBot, first identified by the cybersecurity company in May 2023, can execute commands, inject payloads from a command-and-control ( C2 ) server, and give the attacker control over the infected host.
Additionally, it is known to stop running if the system’s language is Russian or Ukrainian, indicating that either Russia or Ukraine are the operators ‘ bases.
Threat actors like Water Curupira ( also known as TA577 ) have been replaced in recent months by PikaBot and another loader called DarkGate, which will use phishing campaigns and drop Cobalt Strike to gain initial access to target networks.
Its continued focus on obfuscation, albeit with simpler encryption algorithms, and the insertion of junk code between legitimate instructions as part of its attempts to resist analysis were revealed by Zscaler’s analysis of a new PikaBot version (version 1.18.32 ) that was observed this month.
The fact that the entire bot configuration, which is similar to QakBot, is stored in plaintext in a single memory block rather than encrypting and decoding each element at runtime is another significant change seen in the most recent iteration.
The C2 server network communications are the subject of a third change, which involves malware developers altering the traffic encryption algorithm and command IDs.
The researchers came to the conclusion that PikaBot is still a serious cyber threat and is constantly evolving despite its recent inactivity.
” The developers have, however, chosen a different strategy and removed advanced obfuscation features to reduce the complexity level of PikaBot’s code.”
Proofpoint was made aware of a persistent cloud account takeover ( ATO ) campaign that has compromised hundreds of user accounts, including senior executives’, and targeted dozens of Microsoft Azure environments.
Users are targeted by the activity, which has been going on since November 2023, and they are used for internal and external phishing, financial fraud, as well as follow-up data exfiltration. The activity also includes decoy files that contain links to malicious online websites for credential harvesting.