Also known as: -
Category: Malware
Type: Remote access trojan, loader, password-stealing virus, spyware, ransomware, crypto miner, backdoor.
Platform: Windows
Variants: -
Damage potential: Data theft, keylogging, crypto hijacking, financial loss, identity theft, chain infection
Overview
Pikabot is an emerging malware family with advanced evasion, injection, and anti-analysis techniques. It is primarily categorized as a banking trojan with a strong focus on stealing login credentials, personal information, and banking data.
Pikabot is a modular trojan, which means that it’s designed to be flexible and extensible, allowing attackers to add or update its functionalities without the need to replace the whole malware. Another of its dangers is that, unlike simpler malware, PikaBot can execute arbitrary commands, download additional payloads, and inject malicious shellcode into legitimate processes running on a victim’s computer. Just like a store backdoor that is open to robbers 24/7 to plan their next attack stages.
Finally, Pikabot is also capable of checking the language of the system to avoid infecting specific countries. By using GetUserDefaultLangID command, Pikabot checks the system’s default language and takes action. If the LangID is set to Russian or Ukrainian, the malware will immediately stop its execution.
Older Pikabot versions also terminate their execution if the LangID is set to these countries:
- Georgia
- Kazakhstan
- Uzbekistan
- Tajikistan
- Russia
- Ukraine
- Belarus
- Slovenia
Possible symptoms
Here are the most common symptoms of a Pikabot infection:
- Unauthorized computer access or changes in system settings.
- Unfamiliar programs or files.
- A noticeable increase in browser redirects and pop-ups.
- System slowdown.
- An increase in CPU usage.
- Inability to update antivirus software.
- Ransomware behavior (renamed or encrypted files).
Sources of infection
Initial versions of Pikabot spread through phishing emails, compromised websites and malicious ads (or malvertising). Compromised websites can automatically download malware through drive-by downloads, while malvertising involves malicious advertisements that lead to infection when interacted with.
Protection
Always browse with caution and keep your software updated to protect yourself from Pikabot.
- Do not click on suspicious links or attachments from unknown senders.
- Do not download software from unofficial sources.
- Scan downloads for malware and block malicious ads with NordVPN’s Threat Protection.
- Install reliable antivirus software and keep it updated.
- Create strong and unique passwords for your online accounts.
- Do not save passwords on browsers. Use a password manager instead.
- Enable MFA (multi-factor authentication) to prevent attackers from accessing your accounts even if they have your login credentials.
Removal
If you think you might have Pikabot on your device, you need to act promptly:
- Disconnect your device from the internet to stop the malware from communicating with its command and control server.
- Boot into safe mode.
- Run a full system scan using a reputable antivirus solution.
- Follow the instructions provided by your antivirus software to remove the malware.
- Reset browser settings to the default version, especially if you suspect DarkGate compromised your browser.
- Change passwords for online services and monitor accounts for suspicious activity.
If you don’t feel confident handling the removal yourself, consider getting help from IT professionals.