Is PikaBot the New QakBot?

Doing a bit of research, found the makings of a decent timeline.  PikaBot was first sighted by Palo Alto Unit 42 in early February 2023.  First thought to be Matanbuchus malware, turned out to be a new malware family.  It’s distributed in a similar manner to QakBot. 

When first discovered it appeared to be in the early stages of development.  There are some similarities between Matanbuchus and PikaBot. (Details)

A technical analysis conducted in May 2023 shared some insights into the malware.  PikaBot is made up of two components, a loader, and a core module.  The core module handles most of the functionality. 

The core module is decrypted and injected via a code injector.  PikaBot can receive commands from a command-and-control server, allowing it to execute commands and inject payloads.  Zscalar Threatlabz found numerous anti-analysis techniques deployed by PikaBot’s core module injector. 

The core module also performs anti-analysis techniques including a “sleep” function and looks for system language (Commonwealth of Independent States).  A couple of persistence mechanisms are built in as well.

Command-and-control configuration is elaborate, components are stored encrypted and decrypted during runtime.  It appears that a campaign ID and binary version were contained in each sample. 

Network communication is handled via HTTPS POST.  PikaBot registers the compromised host to the command-and-control server after collecting system information.  It also creates a unique bot identifier for the compromised host.

Once the compromised host is registered and persistence established, tasks from the command-and-control server are requested.  There appears to be similarities to QakBot with common elements in distribution, campaign identifiers, and design.  (Details)

A DarkGate campaign was spotted in July 2023, with a notable increase in September 2023, and swapped to PikaBot exclusively in October 2023.  Following the same trends utilized by the QakBot threat actors including evasive tactics and anti-analysis techniques, the threat actors distribute a high volume of emails to numerous industries.

This is a high-end campaign designed to reach targets with advanced capabilities to optimize malware delivery.  The campaign uses hijacked email threads, a more sophisticated method than standard phishing. 

By introducing a relevant message with a malicious link into an existing email thread, the victim trusts the message more than an unexpected email reaching their inbox.  The malicious URL includes limitations such as browser type and location to minimize access to the malicious file. 

It appears as if threat actors were testing different malware delivery options, several infection chains were observed.  At least in this campaign, the JavaScript Dropper (JS Dropper) appears to be the favorite, several other malware delivery methods were observed.

Evolving since first observed, this is an advanced campaign with threat actors that maintain above average skills.  (Details)

A threat actor being tracked under the name Water Curupria, with known activity tied to Black Basta ransomware, has been actively using PikaBot throughout 2023.  The threat actor conducts campaigns to drop backdoor capabilities such as cobalt strike.

This appears to be an initial access broker, who then sells access to organizations to Black Basta or Black Basta affiliates.  (Details)

With so many similarities and an aggressive timeline that coincides with the QakBot takedown, it certainly looks like PikaBot maybe the new QakBot.  We’ll keep watching and will provide an update when we find more information.