After QBot got shut down, there was a vacuum in the ransomware gang tool box\u2014but with PikaBot, that\u2019s beginning to change<\/strong>: last month we wrote about the first recorded instance<\/a> of PikaBot being used by ransomware gangs, specifically Black Basta, in their attacks.<\/p>\n Let\u2019s dig into how PikaBot works, how it\u2019s distributed, how ransomware gangs use it in their attacks, and how to stop it with ThreatDown.<\/p>\n To get a better idea of how PikaBot works, we need to first understand what a modular trojan is.<\/p>\n Simply put, a modular trojan<\/strong> is a type of malware designed to be flexible and extensible, allowing attackers to add or update its functionalities easily without needing to replace the whole malware.<\/p>\n The modular nature of trojans like QBot and PikaBot are what makes them so dangerous. Unlike simpler malware, PikaBot can execute arbitrary commands, download additional payloads, and inject malicious shellcode into legitimate processes <\/strong>running on a victim’s computer. Think of it like a backdoor that allows attackers to set up for the next stages of their attacks.<\/p>\n Once it’s installed onto a system, PikaBot has a whole host of ways to stay under the radar, evading detection by most conventional security tools through techniques like indirect system calls and advanced obfuscation methods.<\/p>\n The distribution of PikaBot, like many other malicious loaders such as QBot and DarkGate, is heavily reliant on email spam campaigns<\/strong>. Even so, ThreatDown Intelligence researchers have seen PikaBot being delivered via malicious search ads as well<\/a> (also known as \u201cmalvertising<\/strong>\u201d).<\/p>\n PikaBot\u2019s initial access campaigns are meticulously crafted, utilizing geolocalized spam emails that target specific countries. The emails often contain links to external SMB (Server Message Block) shares<\/a>, which host malicious zip files.<\/p>\n SMB shares are network folders leveraging the SMB protocol\u2014a network file sharing protocol designed for sharing files and printers across devices on a network. Attackers often use SMB shares to distribute malware. In this case, downloading and opening the hosted zip file results in PikaBot infection.<\/strong><\/p>\n For example, consider the below phishing email containing a link to a zip file containing the PikaBot payload.<\/p>\n Source: ANY.RUN<\/a> (Translation: I sent you some paperwork the other day. Did you get it?)<\/p>\n Once the recipient interacts with these emails by clicking on the link, they are taken to the SMB share hosting the malicious zip files.<\/p>\n Extracting a zip and double-clicking on the executable within it will install PikaBot.<\/p>\n Source: ANY.RUN<\/a><\/p>\n Ransomware gangs commonly use modular trojans like PikaBot for their attacks.<\/p>\n Before it was shut down, for example, Qbot allowed ransomware gangs to seamlessly integrate various attack techniques into their operations<\/strong>, including stealing credentials, moving laterally across networks, and ultimately deploying ransomware or other malicious payloads.<\/p>\n PikaBot is being used by ransomware attackers in a similar way.<\/p>\n Once PikaBot has established a foothold in a network, it allows attackers to engage in a wide range of follow-up activities<\/strong>.<\/p>\n For example, researchers have noted affiliates of the BlackBasta ransomware gang using <\/a>PikaBot to use encrypted communications with command and control (C&C) servers<\/strong>. Pikabot can also assist gangs in getting detailed information about infected systems, helping them tailor their ransomware for maximum impact.<\/strong><\/p>\n Besides preventing initial access through things such as a web content filter and phishing training, choosing an Endpoint Detection and Response (EDR<\/a>) platform that automatically detects and quarantines threats<\/strong> like PikaBot is crucial.<\/p>\n However, given the constant evolution of malware, identifying dynamic threats like Pikabot boils down to two words: threat hunting<\/strong>.<\/p>\n At ThreatDown, we talk a lot about the importance of threat hunting for SMBs\u2014and not for no good reason, either. Just consider the fact that, when an attacker breaches a network, they don\u2019t attack right away. The median amount of time between system compromise and detection is 21 days<\/a><\/strong>.<\/a><\/p>\n By that time, it\u2019s often too late. Data has been harvested or ransomware has been deployed.<\/p>\n Threat hunting helps find and remediate highly-obfuscated threats like PikaBot that can quietly lurk in the network, siphoning off confidential data and searching for credentials to access the \u201ckeys to the kingdom.\u201d<\/p>\n For example, as detailed in one case study<\/a>, the ThreatDown Managed Detection and Response (MDR) team employed threat hunting techniques to uncover and neutralize a sophisticated QBot attack on a reputable oil and gas company. The team’s approach involved meticulously examining Indicators of Compromise (IoCs), analyzing network traffic, and scrutinizing unusual patterns of behavior <\/strong>within the company’s IT infrastructure, ultimately resulting in Qbot\u2019s discovery on the network and isolation of infected systems.<\/p>\n ThreatDown MDR workflow<\/p>\n Want to learn more about how ThreatDown stops new threats like PikaBot? Fill out this form to speak with an expert and get a custom quote.<\/a><\/p>\nA closer look at PikaBot<\/h2>\n
How Pikabot is distributed<\/h2>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/Screenshot-2024-03-01-at-2.44.52\u202fPM.png?w=1024\")
<\/figure>\n![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/Screenshot-2024-03-01-at-2.50.29\u202fPM.png?w=1024\")
<\/figure>\nHow ransomware gangs use PikaBot<\/h2>\n
How to stop PikaBot with ThreatDown<\/h2>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image1.png\")
<\/figure>\n![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image3.png\")
<\/figure>\n![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/image3.png?w=1024\")
<\/figure>\nStop threats like PikaBot today<\/h2>\n