{"description": "Enterprise techniques used by Pikabot, ATT&CK software S1145 (v1.0)", "name": "Pikabot (S1145)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[Pikabot](https://attack.mitre.org/software/S1145) will retrieve the name of the user associated with the thread under which the malware is executing.(Citation: Elastic Pikabot 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Pikabot](https://attack.mitre.org/software/S1145) maintains persistence following system checks through the Run key in the registry.(Citation: Zscaler Pikabot 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Pikabot](https://attack.mitre.org/software/S1145) can execute Windows shell commands via cmd.exe.(Citation: Zscaler Pikabot 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Pikabot](https://attack.mitre.org/software/S1145) uses base64 encoding in conjunction with symmetric encryption mechanisms to obfuscate command and control communications.(Citation: Zscaler Pikabot 2023)(Citation: Elastic Pikabot 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1622", "comment": "[Pikabot](https://attack.mitre.org/software/S1145) features several methods to evade debugging by analysts, including checks for active debuggers, the use of breakpoints during execution, and checking various system information items such as system memory and the number of processors.(Citation: Zscaler Pikabot 2023)(Citation: Elastic Pikabot 2024)(Citation: Logpoint Pikabot 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Pikabot](https://attack.mitre.org/software/S1145) decrypts command and control URIs using ADVobfuscator, and decrypts IP addresses and port numbers with a custom algorithm.(Citation: Zscaler Pikabot 2023) Other versions of [Pikabot](https://attack.mitre.org/software/S1145) decode chunks of stored stage 2 payload content in the initial payload .text section before consolidating them for further execution.(Citation: Elastic Pikabot 2024) Overall [LunarMail](https://attack.mitre.org/software/S1142) is associated with multiple encoding and encryption mechanisms to obfuscate the malware's presence and avoid analysis or detection.(Citation: Logpoint Pikabot 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1482", "comment": "[Pikabot](https://attack.mitre.org/software/S1145) will gather information concerning the Windows Domain the victim machine is a member of during execution.(Citation: Elastic Pikabot 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "Earlier [Pikabot](https://attack.mitre.org/software/S1145) variants use a custom encryption procedure leveraging multiple mechanisms including AES with multiple rounds of Base64 encoding for its command and control communication.(Citation: Zscaler Pikabot 2023) Later [Pikabot](https://attack.mitre.org/software/S1145) variants eliminate the use of AES and instead use RC4 encryption for transmitted information.(Citation: Elastic Pikabot 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "showSubtechniques": true}, {"techniqueID": "T1480.001", "comment": "[Pikabot](https://attack.mitre.org/software/S1145) stops execution if the infected system language matches one of several languages, with various versions referencing: Georgian, Kazakh, Uzbek, Tajik, Russian, Ukrainian, Belarussian, and Slovenian.(Citation: Zscaler Pikabot 2023)(Citation: Elastic Pikabot 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "During the initial [Pikabot](https://attack.mitre.org/software/S1145) command and control check-in, [Pikabot](https://attack.mitre.org/software/S1145) will transmit collected system information encrypted using RC4.(Citation: Elastic Pikabot 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Pikabot](https://attack.mitre.org/software/S1145) uses native Windows APIs to determine if the process is being debugged and analyzed, such as `CheckRemoteDebuggerPresent`, `NtQueryInformationProcess`, `ProcessDebugPort`, and `ProcessDebugFlags`.(Citation: Zscaler Pikabot 2023) Other [Pikabot](https://attack.mitre.org/software/S1145) variants populate a global list of Windows API addresses from the `NTDLL` and `KERNEL32` libraries, and references these items instead of calling the API items to obfuscate execution.(Citation: Elastic Pikabot 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[Pikabot](https://attack.mitre.org/software/S1145) uses non-standard ports, such as 2967, 2223, and others, for HTTPS command and control communication.(Citation: Elastic Pikabot 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.003", "comment": "[Pikabot](https://attack.mitre.org/software/S1145) loads a set of PNG images stored in the malware's resources section (RCDATA), each with an encrypted section containing portions of the core [Pikabot](https://attack.mitre.org/software/S1145) core module. These sections are loaded and decrypted using a bitwise XOR operation with a hardcoded 32 bit key.(Citation: Zscaler Pikabot 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.009", "comment": "[Pikabot](https://attack.mitre.org/software/S1145) further decrypts information embedded via steganography using AES-CBC with the same 32 bit key as initial XOR operations combined with the first 16 bytes of the encrypted data as an initialization vector.(Citation: Zscaler Pikabot 2023) Other [Pikabot](https://attack.mitre.org/software/S1145) variants include encrypted, chunked sections of the stage 2 payload in the initial loader .text section before decrypting and assembling these during execution.(Citation: Elastic Pikabot 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "Some versions of [Pikabot](https://attack.mitre.org/software/S1145) build the final PE payload in memory to avoid writing contents to disk on the executing machine.(Citation: Elastic Pikabot 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.002", "comment": "[Pikabot](https://attack.mitre.org/software/S1145), following payload decryption, creates a process hard-coded into the dropped (e.g., WerFault.exe) and injects the decrypted core modules into it.(Citation: Zscaler Pikabot 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.003", "comment": "[Pikabot](https://attack.mitre.org/software/S1145) can create a suspended instance of a legitimate process (e.g., ctfmon.exe), allocate memory within the suspended process corresponding to [Pikabot](https://attack.mitre.org/software/S1145)'s core module, then redirect execution flow via `SetContextThread` API so that when the thread resumes the [Pikabot](https://attack.mitre.org/software/S1145) core module is executed.(Citation: Elastic Pikabot 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1620", "comment": "[Pikabot](https://attack.mitre.org/software/S1145) reflectively loads stored, previously encrypted components of the PE file into memory of the currently executing process to avoid writing content to disk on the executing machine.(Citation: Elastic Pikabot 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Pikabot](https://attack.mitre.org/software/S1145) performs a variety of system checks and gathers system information, including commands such as whoami.(Citation: Zscaler Pikabot 2023)(Citation: Elastic Pikabot 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Pikabot](https://attack.mitre.org/software/S1145) gathers victim network information through commands such as ipconfig and ipconfig /all.(Citation: Zscaler Pikabot 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Pikabot](https://attack.mitre.org/software/S1145) performs a variety of system checks to determine if it is running in an analysis environment or sandbox, such as checking the number of processors (must be greater than two), and the amount of RAM (must be greater than 2GB).(Citation: Elastic Pikabot 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Pikabot", "color": "#66b1ff"}]}