PatrickStaubmann-TA577从你身边走过-Pikabot中的间接系统调用

TA577 Walked Just Past YouIndirect Syscalls in PikabotPatrick StaubmannTeam Lead Threat AnalysisVMRay GmbH2Pikabot OverviewFirst SeenClassificationThreat ActorEvasion TechniquesEarly 2023(Down-) LoaderBackdoorTA577(Water Curupira)Well known for distributing QBotDistribution of Black Basta ransomware…Indirect System Calls3A closer look to PikabotLoading core modulePikabot went dark in 2024 (Operation Endgame).But…we may see “powered-up”variants with enhanced loader and core modules.LoaderC2 CommunicationInjector (PE & Shellcode)Command ExecutionData Collection / FingerprintingCore Module4Pikabot’s Evasion TechniquesHardware-based EvasionTiming-based EvasionLimited ResourcesMore than 2 CPU Cores?At least 2 GB of memory?Sleep for certain timeto hide behaviorUncommon API to pause executionBeep()5UncoveringIndirect Syscalls6WINDOWS API7From User Modeto Kernel ModeUSER MODEKERNELsample.exe..instruction....instruction..callCreateFileWkernelbase.dllCreateFileW..instruction....instruction..cal