PikaBot Malware Returns with Simplified Code and New Tactics

The PikaBot malware has resurfaced with significant changes, described as a “devolution” by researchers due to the reduction in complexity of its code and changes in network communications. First documented in May 2023, PikaBot is a malware loader and backdoor that allows attackers to execute commands and inject payloads from a command-and-control (C2) server, giving them control over infected hosts.

Recent updates to PikaBot include the removal of advanced obfuscation techniques, simpler encryption algorithms, and the insertion of junk code between valid instructions to resist analysis. The malware also now stores its bot configuration in plaintext in a single memory block, a departure from its previous method of encrypting each element and decoding them at runtime.

Furthermore, PikaBot now checks the system’s language and halts its execution if it is set to Russian or Ukrainian, suggesting that the operators are based in Russia or Ukraine. The malware has been used in phishing campaigns to drop Cobalt Strike and gain initial access to target networks.

Despite a period of inactivity, PikaBot remains a significant cyber threat and is in constant development. Its latest version (1.18.32) demonstrates a continued focus on obfuscation and modification of network communications, indicating that its developers are actively working to evolve the malware.

In a separate development, there is an ongoing cloud account takeover (ATO) campaign targeting Microsoft Azure environments. The campaign, active since November 2023, uses individualized phishing lures containing links to malicious pages for credential harvesting. This activity highlights the evolving tactics of cybercriminals to compromise user accounts and conduct various forms of fraud.

Protect your systems against the PikaBot malware by ensuring your antivirus software is up to date and performing regular scans. Educate your employees about phishing attacks and encourage them to exercise caution when opening email attachments or clicking on links. Organizations also can backup data regularly and store it securely to mitigate the impact of a potential malware attack.