The notorious PikaBot malware has once again emerged, undergoing what cybersecurity experts describe as a case of “devolution.” The threat actors behind PikaBot have made substantial changes to its code, simplifying it by eliminating advanced obfuscation techniques and modifying network communications. Zscaler ThreatLabz researcher Nikolaos Pantazopoulos notes that despite appearing in a new development cycle, PikaBot remains a potent threat, capable of executing commands, injecting payloads, and allowing attackers to control infected hosts.
The latest version, identified as PikaBot version 1.18.32, exhibits a continued emphasis on obfuscation, albeit with simpler encryption algorithms. Notably, the malware developers have shifted their strategy by storing the entire bot configuration in plaintext within a single memory block, a departure from encrypting each element individually. Furthermore, alterations in the command IDs and encryption algorithm for C2 server network communications showcase a deliberate effort to resist analysis. While PikaBot had experienced recent inactivity, cybersecurity analysts warn that it continues to be a formidable cyber threat, constantly evolving to maintain its potency.
