The core module
whoami.exe /all
ipconfig.exe /all
Unsurprisingly, the core module holds the very center of the malware chocolate egg: the main malicious functions of the loader. After another round of anti-analysis checks has verified that it is safe to begin operations, the core module will start gathering victim information. Each victim gets assigned its own ID after which an array of specifications on the user and computer are queried in order to adjust the next steps.
netstat.exe -aon
The gathered data is encrypted and subsequently sent to a C2 server. The core module, safely nested in the victim system, can then start receiving target specific commands from the threat actor and, for example, begin dropping other malware. Earlier infections show Pikabot successfully ferrying penetration testing frameworks and other big malware into the victim systems like Cobalt Strike, IcedID, and DarkGate.
In newer versions of the malware, the following processes are spawned to collect more information:
The Hunt After having gotten up close and familiar with Pikabot, we added it to our malware portfolio and turned our sights to the next stage: collecting data on the various loaders’ activities in the timeframe between Qakbot’s downfall and present time. Our targets of choice, in addition to Pikabot, were Danabot and DarkGate; solid and popular competitors that had their own breakthroughs and an eventful 2023. In order to build a reliable landscape picture, we could not rely on internal data only.No analyst team is an island, and cybersecurity’s strength lies in its collective community. The array of sources plugged into the sample collection stage included: • Desk research and previous publications. • Crowdsourcing YARA rules for the malware families within scope. • Developing additional YARA rules for Pikabot specifically. • Performing retrohunts using the outputs above. • Verifying all Pikabot samples manually.
The downside of multi-source hunting for entire entities like full active malware does, however, come at a potential cost of loss of accuracy. Whatever visibility we might gain could be compromised by noise or improperly set searches. To circumvent this and retain control over the process, NCC Group analysts created multiple additional YARA rules to hunt for Pikabot as a starting point. If set up correctly, hunt progression would show the following: a decrease in Qakbot’s activity, an increase in the usage of Pikabot, and subsequent increases in other loader popularity. We focused on the most tangible indicators of a malware’s activity: capture samples themselves (the most coveted clue), and command & control IOCs that could be attributed to a specific malware family. Packed samples (malware obfuscated by means of being compressed by other software) did not make it into our analysis due to having to hunt for the various packers used, and out of concern for introducing data duplications.
63
Made with FlippingBook - PDF hosting