The threat actors behind the PikaBot malware have made significant changes to the malware in what has been described as a case of “devolution.”
“Although it appears to be in a new development cycle and testing phase, the developers have reduced the complexity of the code by removing advanced obfuscation techniques and changing the network communications,” Zscaler ThreatLabz researcher Nikolaos Pantazopoulos said.
PikaBot, first documented by the cybersecurity firm in May 2023, is a malware loader and a backdoor that can execute commands and inject payloads from a command-and-control (C2) server as well as allow the attacker to control the infected host.
It is also known to halt its execution should the system’s language be Russian or Ukrainian, indicating that the operators are either based in Russia or Ukraine.
In recent months, both PikaBot and another loader called DarkGate have emerged as attractive replacements for threat actors such as Water Curupira (aka TA577) to obtain initial access to target networks via phishing campaigns and drop Cobalt Strike.
Zscaler’s analysis of a new version of PikaBot (version 1.18.32) observed this month has revealed its continued focus on obfuscation, albeit with simpler encryption algorithms, and insertion of junk code between valid instructions as part of its efforts to resist analysis.
Another crucial modification observed in the latest iteration is that the entire bot configuration — which is similar to that of QakBot — is stored in plaintext in a single memory block as opposed to encrypting each element and decoding them at runtime.
A third change concerns the C2 server network communications, with the malware developers tweaking the command IDs and the encryption algorithm used to secure the traffic.
“Despite its recent inactivity, PikaBot continues to be a significant cyber threat and in constant development,” the researchers concluded.
“However, the developers have decided to take a different approach and decrease the complexity level of PikaBot’s code by removing advanced obfuscation features.”
The development comes as Proofpoint alerted of an ongoing cloud account takeover (ATO) campaign that has targeted dozens of Microsoft Azure environments and compromised hundreds of user accounts, including those belonging to senior executives.
The activity, underway since November 2023, singles out users with individualized phishing lures bearing decoy files that contain links to malicious phishing web pages for credential harvesting, and use them for follow-on data exfiltration, internal and external phishing, and financial fraud.