The threat actors behind the PikaBot malware have made significant changes to the malware in what has been described as a case of “devolution.”
“Although it appears to be in a new development cycle and testing phase, the developers have reduced the complexity of the code by removing advanced obfuscation techniques and modifying network communications,” said Nikolaos Pantazopoulos, researcher at Zscaler ThreatLabz.
PikaBot, first documented by the cybersecurity firm in May 2023, is a malware loader and backdoor capable of executing commands and injecting payloads from a command and control (C2) server, as well as allowing the attacker to check the infected host.
It is also known to stop running if the system language is Russian or Ukrainian, indicating that the operators are based in Russia or Ukraine.
In recent months, both PikaBot and another loader called DarkGate have emerged as attractive replacements for threat actors like Water Curupira (also known as TA577) to gain initial access to target networks via phishing campaigns and release Cobalt Strike.
Zscaler’s analysis of a new version of PikaBot (version 1.18.32) observed this month revealed its continued focus on obfuscation, albeit with simpler encryption algorithms, and the insertion of junk code between valid instructions such as part of his efforts to resist analysis.
Another crucial change observed in the latest iteration is that the entire bot configuration, which is similar to that of QakBot, is stored in plain text in a single block of memory instead of encrypting each element and decrypting it at runtime.
A third change affects the C2 server’s network communications, with malware developers changing command IDs and the encryption algorithm used to protect traffic.
“Despite its recent inactivity, PikaBot continues to pose a significant and evolving cyber threat,” the researchers concluded.
“However, the developers decided to take a different approach and decrease the level of complexity of PikaBot’s code by removing advanced obfuscation features.”
The development comes as Proofpoint was alerted to an ongoing cloud account takeover (ATO) campaign that has targeted dozens of Microsoft Azure environments and compromised hundreds of user accounts, including those belonging to senior executives.
The activity, ongoing since November 2023, identifies users with customized phishing lures containing bait files that contain links to malicious phishing web pages for credential harvesting and uses them for subsequent data exfiltration, internal and external phishing, and financial fraud.