Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the easy-accordion-free domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the zoho-flow domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893
{"id":2611,"date":"2024-02-29T06:54:14","date_gmt":"2024-02-29T06:54:14","guid":{"rendered":"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/"},"modified":"2024-02-29T06:54:14","modified_gmt":"2024-02-29T06:54:14","slug":"the-devolution-of-pikabot-nikolaos-pantazopoulos","status":"publish","type":"post","link":"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/","title":{"rendered":"The (D)Evolution of Pikabot Nikolaos Pantazopoulos"},"content":{"rendered":"

Introduction<\/p>\n

Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. There was a significant increase in usage of Pikabot in the second half of 2023, following the FBI-led takedown of Qakbot. This was likely the result of a BlackBasta ransomware affiliate replacing Qakbot with Pikabot for initial access. However, Pikabot ceased activity shortly after Christmas 2023, with its version number being 1.1.19 at that time.<\/p>\n

In recent campaigns, which started in February 2024, Pikabot reemerged with significant changes in its code base and structure. Although it appears to be in a new development cycle and testing phase, the developers have reduced the complexity of the code by removing advanced obfuscation techniques and changing the network communications.
\nKey Takeaways<\/p>\n

\tPikabot is a malware loader that was first observed in early 2023 and became very active following the takedown of Qakbot in August 2023.
\n\tIn December 2023, Pikabot activity ceased, possibly as a result of a new version of Qakbot that emerged. In February 2024, a new version of Pikabot was released with significant changes.
\n\tPrevious versions of Pikabot used advanced string encryption techniques, which have been replaced with simpler algorithms.
\n\tPikabot now stores all configuration elements in a single memory block, similar to Qakbot. In prior versions, Pikabot decrypted necessary configuration elements only when required.
\n\tPikabot continues to use HTTP for command-and-control, but its network protocol has changed, including the network command IDs and the encryption algorithms.<\/p>\n

Technical AnalysisAs covered in our previous technical analysis of Pikabot, the malware consists of two components: a loader and a core module. The core module is responsible for executing commands and injecting payloads from a command-and-control server. The malware uses a code injector to decrypt and inject the core module. It employs various anti-analysis techniques and string obfuscation. Pikabot uses similar distribution methods, campaigns, and behaviors as Qakbot. The malware acts as a backdoor, allowing the attacker to control the infected system and distribute other malicious payloads such as Cobalt Strike.In the following sections, we will describe the latest Pikabot variant, including its capabilities and notable changes compared to previous versions. The analysis was performed on Pikabot binaries with version 1.8.32.Anti-analysis techniquesAs with previous versions of Pikabot, this variant employs a series of different anti-analysis techniques to make the analysis more time-consuming. It should be noted that none of the methods below presents any significant advanced capabilities. Furthermore, Pikabot used a series of more advanced detection features in its loader component in previous versions of the malware.Strings encryptionThe most notable change is the string obfuscation. In previous versions of Pikabot, each string was obfuscated by combining the RC4 algorithm with AES-CBC. This method was highly effective in preventing analysis, particularly when it came to automated configuration extraction. To successfully analyze Pikabot, an analyst would need to detect not only the encrypted string but also its unique RC4 key. Additionally, they would need to extract the AES key and initialization vector, which are unique to each Pikabot payload.It should be noted that the approach the Pikabot malware developers followed is similar to the ADVobfuscator.In the latest version of Pikabot, the majority of the strings are either constructed by retrieving each character and pushing it onto the stack (Figure 1) or, in some rare cases, a few strings are still encrypted using the RC4 algorithm only.Figure 1. String stack constructionJunk instructionsThis anti-analysis technique was also implemented in previous versions of Pikabot. Pikabot inserts junk code between valid instructions. The junk code is either inlined in the function or a call is made to a function, which contains the junk code (Figure 2).Figure 2. Junk codeAnti-debug methodsPikabot uses two methods to detect a debugging session. They are:Reading the BeingDebugged flag from the PEB (Process Environment Block).Calling the Microsoft Windows API function CheckRemoteDebuggerPresent.Pikabot constantly performs the debugging checks above in certain parts of its code. For example, when it (en\/de)codes network data or when it makes a request to receive a network command.Anti-sandbox evasionIn addition to the anti-debugging checks above, Pikabot uses the following methods to evade security products and sandboxes:Pikabot utilizes native Windows API calls.Pikabot delays code execution at different stages of its code. The timer is randomly generated each time.Pikabot dynamically resolves all required Windows API functions via API hashing.A Python representation of the algorithm is available below.Language detectionIdentical to previous versions, Pikabot stops execution if the operating system’s language is any of the following:Russian (Russia)Ukrainian (Ukraine)This is likely an indication that the threat actors behind Pikabot are Russian-speaking and may reside in Ukraine and\/or Russia. The language check reduces the chance of law enforcement action and potential criminal prosecution in those regions.Bot initialization phaseUnlike previous versions, this version of Pikabot stores all settings and information in a single structure at a global address (similar to Qakbot). The analyzed structure is shown below. For brevity, we redacted non-important items of the structure (such as Windows API names).Bot configurationThe latest version of Pikabot stores its entire configuration in plaintext in one address. This is a significant drawback since in previous versions, Pikabot decrypted each required element at runtime and only when required. In addition, many of the configuration elements (e.g. command-and-control URIs) were randomized. ANALYST NOTE: Despite their randomization, all configuration elements were valid on the server-side. If a bot sent incorrect information, then it would get rejected\/banned by the command-and-control server.The configuration structure is the following:Once Pikabot parses the plaintext configuration, it erases it by setting all bytes to zero. We assess that this is an anti-dumping method to avoid automating the extraction of the configuration.Lastly, Pikabot loads any remaining required Windows API functions and generates a bot identifier for the compromised host. The algorithm is similar to previous versions and can be reproduced with the following Python code.ANALYST NOTE: In some samples, Pikabot does not read the volume serial number due to a bug in their code that causes a failure when calling GetVolumeInformationW.Network communicationsPikabot contacts the command-and-control server to request and receive network commands. In this version, the network protocol has considerably changed. Pikabot starts by registering the compromised host to its server. First, Pikabot collects information from the compromised host, such as:Monitor\u2019s display settingsWindows versionHostname\/username and operating system\u2019s memory sizeBeacon and delay settingsProcess information such as the process ID, parent process ID and number of threads (see the description of network command 0x985 for a comprehensive list).Bot\u2019s version and campaign nameName of the domain controllerThen Pikabot appends the following information to the registration packet:32-bytes network RC4 key (unique per host), which remains the same for the session. In previous versions, Pikabot was using AES-CBC with a random key\/IV per request.Unknown registry key name. We observed it used only in the network command with ID 0x246F.Number of swap rounds used for encoding the data. This remains the same for the rest of the session.Next, Pikabot encrypts the data using the RC4 algorithm, encodes the encrypted output, picks a random URI from its list, and sends the data with a POST request to the command-and-control server.The encoding involves bytes swapping for N times, where N is a randomly generated number in the range 0-25.ANALYST NOTE: Despite the fact that a round number is set in the configuration (see the configuration structure), this value is ignored and Pikabot replaces it with a random value. Moreover, Pikabot has completely removed the JSON format in its network packets and inserts everything in a raw format.If the bot registration is successful, Pikabot starts an infinite loop to request and execute commands. Each incoming network command (with the exception of network command with ID 0x164) has a task ID that is placed at the start of the (decrypted) packet as a QWORD value. In Table 1 below, we list the identified network commands along with a description of their functionality.Command IDDescription0x164Requests command from command-and-control server. The packet includes the command ID, size of bot ID, and the bot ID. The server replies with the same command ID if there is no network command for the bot to execute.0x555Reports the output of the executed network command to the command-and-control server.0x1291Registers the bot. An unknown integer value (0x1687) is appended in the packet at offset 8.0x1FEDUpdates beacon time.0x1A5ATerminates\/kills the bot.0x2672Not implemented0x246FWrites a file to disk and adds registry data using the value name specified in the configuration (unknown_registry_key_name).0xACBExecutes the system command and sends back the output. Includes the error code 0x1B3 if there is no output.0x36CInjects the code of a downloaded PE file. The target process information is specified in the network packet.0x792Injects the code of a downloaded shellcode. The target process information is specified in the network packet.0x359Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x3A6Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x240Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x985Collects processes\u2019 information. These are:Executable’s filenameProcess IDBoolean flag, which indicates if it is a Pikabot process.Boolean flag, which indicates if Pikabot can access the process with all possible access rights.Number of threadsBase priority of threadsProcess architectureParent process ID0x982Not implementedTable 1. Pikabot Network CommandsConclusion<\/p>\n

Despite its recent inactivity, Pikabot continues to pose a significant cyber threat and is in constant development. However, the developers have decided to take a different approach and decrease the complexity level of Pikabot’s code by removing advanced obfuscation features. Moreover, based on our code analysis, it appears that certain features and network commands have not been implemented yet and are still a work in progress.<\/p>\n

Zscaler ThreatLabz continues to track this threat and add detections to protect our customers.
\nIndicators Of Compromise (IOCs)<\/p>\n

\t\t\tSHA256<\/p>\n

\t\t\tDescription<\/p>\n

\t\t\t555687ca3149e23ee980a3acf578e0572da556cf34c87aecf48596834d6b496f<\/p>\n

\t\t\tPikabot sample (version 1.8.32-beta)<\/p>\n

\t\t\tca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d<\/p>\n

\t\t\tPikabot sample (version 1.8.32-beta)<\/p>\n

\t\t\tIOC<\/p>\n

\t\t\tDescription<\/p>\n

\t\t\t104.129.55[.]103:2224<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t178.18.246[.]136:2078<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t158.220.80[.]167:2967<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t104.129.55[.]104:2223<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t23.226.138[.]161:5242<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t37.60.242[.]85:9785<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t23.226.138[.]143:2083<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t37.60.242[.]86:2967<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t85.239.243[.]155:5000<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t158.220.80[.]157:9785<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t65.20.66[.]218:5938<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t95.179.191[.]137:5938<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t139.84.237[.]229:2967<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

Zscaler Coverage<\/p>\n

In addition to sandbox detections, Zscaler\u2019s multilayered cloud security platform detects indicators related to Pikabot at various levels with the following threat names:<\/p>\n

\tWin32.Trojan.PikaBot
\n\tWin32.Downloader.PikaBot\u00a0\u00a0<\/p>\n

\u200b<\/p>\n

Technical Analysis<\/h2>\n

As covered in our previous technical analysis<\/a> of Pikabot, the malware consists of two components: a loader and a core module. The core module is responsible for executing commands and injecting payloads from a command-and-control server. The malware uses a code injector to decrypt and inject the core module. It employs various anti-analysis techniques and string obfuscation. Pikabot uses similar distribution methods, campaigns, and behaviors as Qakbot<\/a>. The malware acts as a backdoor, allowing the attacker to control the infected system and distribute other malicious payloads such as Cobalt Strike.<\/p>\n

In the following sections, we will describe the latest Pikabot variant, including its capabilities and notable changes compared to previous versions. The analysis was performed on Pikabot binaries with version 1.8.32.<\/p>\n

Anti-analysis techniques<\/h3>\n

As with previous versions of Pikabot, this variant employs a series of different anti-analysis techniques to make the analysis more time-consuming. It should be noted that none of the methods below presents any significant advanced capabilities. Furthermore, Pikabot used a series of more advanced detection features in its loader component in previous versions of the malware.<\/p>\n

Strings encryption<\/h4>\n

The most notable change is the string obfuscation. In previous versions of Pikabot, each string was obfuscated by combining the RC4 algorithm with AES-CBC. This method was highly effective in preventing analysis, particularly when it came to automated configuration extraction. To successfully analyze Pikabot, an analyst would need to detect not only the encrypted string but also its unique RC4 key. Additionally, they would need to extract the AES key and initialization vector, which are unique to each Pikabot payload.It should be noted that the approach the Pikabot malware developers followed is similar to the ADVobfuscator<\/a>.<\/p>\n

In the latest version of Pikabot, the majority of the strings are either constructed by retrieving each character and pushing it onto the stack (Figure 1) or, in some rare cases, a few strings are still encrypted using the RC4 algorithm only.<\/p>\n\n

Figure 1.\u00a0String stack construction<\/p>\n

Junk instructions<\/h4>\n

This anti-analysis technique was also implemented in previous versions of Pikabot. Pikabot inserts junk code between valid instructions. The junk code is either inlined in the function or a call is made to a function, which contains the junk code (Figure 2).<\/p>\n\n

Figure 2. Junk code<\/p>\n

Anti-debug methods<\/h4>\n

Pikabot uses two methods to detect a debugging session. They are:<\/p>\n

Reading the BeingDebugged<\/em> flag from the PEB (Process Environment Block).Calling the Microsoft Windows API function CheckRemoteDebuggerPresent<\/em>.<\/p>\n

Pikabot constantly performs the debugging checks above in certain parts of its code. For example, when it (en\/de)codes network data or when it makes a request to receive a network command.<\/p>\n

Anti-sandbox evasion<\/h4>\n

In addition to the anti-debugging checks above, Pikabot uses the following methods to evade security products and sandboxes:<\/p>\n

Pikabot utilizes native Windows API calls.Pikabot delays code execution at different stages of its code. The timer is randomly generated each time.Pikabot dynamically resolves all required Windows API functions via API hashing.<\/p>\n

A Python representation of the algorithm is available below.<\/p>\n\n

Language detection<\/h4>\n

Identical to previous versions, Pikabot stops execution if the operating system’s language is any of the following:<\/p>\n

Russian (Russia)Ukrainian (Ukraine)<\/p>\n

This is likely an indication that the threat actors behind Pikabot are Russian-speaking and may reside in Ukraine and\/or Russia. The language check reduces the chance of law enforcement action and potential criminal prosecution in those regions.<\/p>\n

Bot initialization phase<\/h2>\n

Unlike previous versions, this version of Pikabot stores all settings and information in a single structure at a global address (similar to Qakbot). The analyzed structure is shown below. For brevity, we redacted non-important items of the structure (such as Windows API names).<\/p>\n\n

Bot configuration<\/h3>\n

The latest version of Pikabot stores its entire configuration in plaintext in one address. This is a significant drawback since in previous versions, Pikabot decrypted each required element at runtime and only when required. In addition, many of the configuration elements (e.g. command-and-control URIs) were randomized.\u00a0<\/p>\n

ANALYST NOTE: Despite their randomization, all configuration elements were valid on the server-side. If a bot sent incorrect information, then it would get rejected\/banned by the command-and-control server<\/em>.<\/p>\n

The configuration structure is the following:<\/p>\n\n

Once Pikabot parses the plaintext configuration, it erases it by setting all bytes to zero. We assess that this is an anti-dumping method to avoid automating the extraction of the configuration.<\/p>\n

Lastly, Pikabot loads any remaining required Windows API functions and generates a bot identifier for the compromised host. The algorithm is similar to previous versions and can be reproduced with the following Python code.<\/p>\n\n

ANALYST NOTE: In some samples, Pikabot does not read the volume serial number due to a bug in their code that causes a failure when calling GetVolumeInformationW.<\/em><\/p>\n

Network communications<\/h3>\n

Pikabot contacts the command-and-control server to request and receive network commands. In this version, the network protocol has considerably changed. Pikabot starts by registering the compromised host to its server.\u00a0<\/p>\n

First, Pikabot collects information from the compromised host, such as:<\/p>\n

Monitor\u2019s display settingsWindows versionHostname\/username and operating system\u2019s memory sizeBeacon and delay settingsProcess information such as the process ID, parent process ID and number of threads (see the description of network command 0x985 for a comprehensive list).Bot\u2019s version and campaign nameName of the domain controller<\/p>\n

Then Pikabot appends the following information to the registration packet:<\/p>\n

32-bytes network RC4 key (unique per host), which remains the same for the session. In previous versions, Pikabot was using AES-CBC with a random key\/IV per request.Unknown registry key name. We observed it used only in the network command with ID 0x246F.Number of swap rounds used for encoding the data. This remains the same for the rest of the session.<\/p>\n

Next, Pikabot encrypts the data using the RC4 algorithm, encodes the encrypted output, picks a random URI from its list, and sends the data with a POST request to the command-and-control server.<\/p>\n

The encoding involves bytes swapping for N times, where N is a randomly generated number in the range 0-25.<\/p>\n

ANALYST NOTE: Despite the fact that a round number is set in the configuration (see the configuration structure), this value is ignored and Pikabot replaces it with a random value. Moreover, Pikabot has completely removed the JSON format in its network packets and inserts everything in a raw format.<\/em><\/p>\n

If the bot registration is successful, Pikabot starts an infinite loop to request and execute commands.\u00a0<\/p>\n

Each incoming network command (with the exception of network command with ID 0x164) has a task ID that is placed at the start of the (decrypted) packet as a QWORD value. In Table 1 below, we list the identified network commands along with a description of their functionality.<\/p>\n

Command ID<\/strong>Description<\/strong>0x164Requests command from command-and-control server. The packet includes the command ID, size of bot ID, and the bot ID. The server replies with the same command ID if there is no network command for the bot to execute.0x555Reports the output of the executed network command to the command-and-control server.0x1291Registers the bot. An unknown integer value (0x1687) is appended in the packet at offset 8.0x1FEDUpdates beacon time.0x1A5ATerminates\/kills the bot.0x2672Not implemented0x246FWrites a file to disk and adds registry data using the value name specified in the configuration (unknown_registry_key_name<\/em>).0xACBExecutes the system command and sends back the output. Includes the error code 0x1B3 if there is no output.0x36CInjects the code of a downloaded PE file. The target process information is specified in the network packet.0x792Injects the code of a downloaded shellcode. The target process information is specified in the network packet.0x359Executes system command and sends back the output.\n

Note:<\/strong> Same as 0xACB but does not send the error code.<\/p>\n

0x3A6Executes system command and sends back the output.<\/p>\n

Note:<\/strong> Same as 0xACB but does not send the error code.<\/p>\n

0x240Executes system command and sends back the output.<\/p>\n

Note:<\/strong> Same as 0xACB but does not send the error code.<\/p>\n

0x985<\/p>\n

Collects processes\u2019 information. These are:<\/p>\n

Executable’s filenameProcess IDBoolean flag, which indicates if it is a Pikabot process.Boolean flag, which indicates if Pikabot can access the process with all possible access rights.Number of threadsBase priority of threadsProcess architectureParent process ID0x982Not implemented<\/p>\n

Table 1. Pikabot Network Commands<\/p>\n<\/div>\n

\u00a0[[{“value”:”Introduction<\/p>\n

Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. There was a significant increase in usage of Pikabot in the second half of 2023, following the FBI-led takedown of Qakbot. This was likely the result of a BlackBasta ransomware affiliate replacing Qakbot with Pikabot for initial access. However, Pikabot ceased activity shortly after Christmas 2023, with its version number being 1.1.19 at that time.<\/p>\n

In recent campaigns, which started in February 2024, Pikabot reemerged with significant changes in its code base and structure. Although it appears to be in a new development cycle and testing phase, the developers have reduced the complexity of the code by removing advanced obfuscation techniques and changing the network communications.
\nKey Takeaways<\/p>\n

\tPikabot is a malware loader that was first observed in early 2023 and became very active following the takedown of Qakbot in August 2023.
\n\tIn December 2023, Pikabot activity ceased, possibly as a result of a new version of Qakbot that emerged. In February 2024, a new version of Pikabot was released with significant changes.
\n\tPrevious versions of Pikabot used advanced string encryption techniques, which have been replaced with simpler algorithms.
\n\tPikabot now stores all configuration elements in a single memory block, similar to Qakbot. In prior versions, Pikabot decrypted necessary configuration elements only when required.
\n\tPikabot continues to use HTTP for command-and-control, but its network protocol has changed, including the network command IDs and the encryption algorithms.<\/p>\n

Technical AnalysisAs covered in our previous technical analysis of Pikabot, the malware consists of two components: a loader and a core module. The core module is responsible for executing commands and injecting payloads from a command-and-control server. The malware uses a code injector to decrypt and inject the core module. It employs various anti-analysis techniques and string obfuscation. Pikabot uses similar distribution methods, campaigns, and behaviors as Qakbot. The malware acts as a backdoor, allowing the attacker to control the infected system and distribute other malicious payloads such as Cobalt Strike.In the following sections, we will describe the latest Pikabot variant, including its capabilities and notable changes compared to previous versions. The analysis was performed on Pikabot binaries with version 1.8.32.Anti-analysis techniquesAs with previous versions of Pikabot, this variant employs a series of different anti-analysis techniques to make the analysis more time-consuming. It should be noted that none of the methods below presents any significant advanced capabilities. Furthermore, Pikabot used a series of more advanced detection features in its loader component in previous versions of the malware.Strings encryptionThe most notable change is the string obfuscation. In previous versions of Pikabot, each string was obfuscated by combining the RC4 algorithm with AES-CBC. This method was highly effective in preventing analysis, particularly when it came to automated configuration extraction. To successfully analyze Pikabot, an analyst would need to detect not only the encrypted string but also its unique RC4 key. Additionally, they would need to extract the AES key and initialization vector, which are unique to each Pikabot payload.It should be noted that the approach the Pikabot malware developers followed is similar to the ADVobfuscator.In the latest version of Pikabot, the majority of the strings are either constructed by retrieving each character and pushing it onto the stack (Figure 1) or, in some rare cases, a few strings are still encrypted using the RC4 algorithm only.Figure 1. String stack constructionJunk instructionsThis anti-analysis technique was also implemented in previous versions of Pikabot. Pikabot inserts junk code between valid instructions. The junk code is either inlined in the function or a call is made to a function, which contains the junk code (Figure 2).Figure 2. Junk codeAnti-debug methodsPikabot uses two methods to detect a debugging session. They are:Reading the BeingDebugged flag from the PEB (Process Environment Block).Calling the Microsoft Windows API function CheckRemoteDebuggerPresent.Pikabot constantly performs the debugging checks above in certain parts of its code. For example, when it (en\/de)codes network data or when it makes a request to receive a network command.Anti-sandbox evasionIn addition to the anti-debugging checks above, Pikabot uses the following methods to evade security products and sandboxes:Pikabot utilizes native Windows API calls.Pikabot delays code execution at different stages of its code. The timer is randomly generated each time.Pikabot dynamically resolves all required Windows API functions via API hashing.A Python representation of the algorithm is available below.Language detectionIdentical to previous versions, Pikabot stops execution if the operating system’s language is any of the following:Russian (Russia)Ukrainian (Ukraine)This is likely an indication that the threat actors behind Pikabot are Russian-speaking and may reside in Ukraine and\/or Russia. The language check reduces the chance of law enforcement action and potential criminal prosecution in those regions.Bot initialization phaseUnlike previous versions, this version of Pikabot stores all settings and information in a single structure at a global address (similar to Qakbot). The analyzed structure is shown below. For brevity, we redacted non-important items of the structure (such as Windows API names).Bot configurationThe latest version of Pikabot stores its entire configuration in plaintext in one address. This is a significant drawback since in previous versions, Pikabot decrypted each required element at runtime and only when required. In addition, many of the configuration elements (e.g. command-and-control URIs) were randomized. ANALYST NOTE: Despite their randomization, all configuration elements were valid on the server-side. If a bot sent incorrect information, then it would get rejected\/banned by the command-and-control server.The configuration structure is the following:Once Pikabot parses the plaintext configuration, it erases it by setting all bytes to zero. We assess that this is an anti-dumping method to avoid automating the extraction of the configuration.Lastly, Pikabot loads any remaining required Windows API functions and generates a bot identifier for the compromised host. The algorithm is similar to previous versions and can be reproduced with the following Python code.ANALYST NOTE: In some samples, Pikabot does not read the volume serial number due to a bug in their code that causes a failure when calling GetVolumeInformationW.Network communicationsPikabot contacts the command-and-control server to request and receive network commands. In this version, the network protocol has considerably changed. Pikabot starts by registering the compromised host to its server. First, Pikabot collects information from the compromised host, such as:Monitor\u2019s display settingsWindows versionHostname\/username and operating system\u2019s memory sizeBeacon and delay settingsProcess information such as the process ID, parent process ID and number of threads (see the description of network command 0x985 for a comprehensive list).Bot\u2019s version and campaign nameName of the domain controllerThen Pikabot appends the following information to the registration packet:32-bytes network RC4 key (unique per host), which remains the same for the session. In previous versions, Pikabot was using AES-CBC with a random key\/IV per request.Unknown registry key name. We observed it used only in the network command with ID 0x246F.Number of swap rounds used for encoding the data. This remains the same for the rest of the session.Next, Pikabot encrypts the data using the RC4 algorithm, encodes the encrypted output, picks a random URI from its list, and sends the data with a POST request to the command-and-control server.The encoding involves bytes swapping for N times, where N is a randomly generated number in the range 0-25.ANALYST NOTE: Despite the fact that a round number is set in the configuration (see the configuration structure), this value is ignored and Pikabot replaces it with a random value. Moreover, Pikabot has completely removed the JSON format in its network packets and inserts everything in a raw format.If the bot registration is successful, Pikabot starts an infinite loop to request and execute commands. Each incoming network command (with the exception of network command with ID 0x164) has a task ID that is placed at the start of the (decrypted) packet as a QWORD value. In Table 1 below, we list the identified network commands along with a description of their functionality.Command IDDescription0x164Requests command from command-and-control server. The packet includes the command ID, size of bot ID, and the bot ID. The server replies with the same command ID if there is no network command for the bot to execute.0x555Reports the output of the executed network command to the command-and-control server.0x1291Registers the bot. An unknown integer value (0x1687) is appended in the packet at offset 8.0x1FEDUpdates beacon time.0x1A5ATerminates\/kills the bot.0x2672Not implemented0x246FWrites a file to disk and adds registry data using the value name specified in the configuration (unknown_registry_key_name).0xACBExecutes the system command and sends back the output. Includes the error code 0x1B3 if there is no output.0x36CInjects the code of a downloaded PE file. The target process information is specified in the network packet.0x792Injects the code of a downloaded shellcode. The target process information is specified in the network packet.0x359Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x3A6Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x240Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x985Collects processes\u2019 information. These are:Executable’s filenameProcess IDBoolean flag, which indicates if it is a Pikabot process.Boolean flag, which indicates if Pikabot can access the process with all possible access rights.Number of threadsBase priority of threadsProcess architectureParent process ID0x982Not implementedTable 1. Pikabot Network CommandsConclusion<\/p>\n

Despite its recent inactivity, Pikabot continues to pose a significant cyber threat and is in constant development. However, the developers have decided to take a different approach and decrease the complexity level of Pikabot’s code by removing advanced obfuscation features. Moreover, based on our code analysis, it appears that certain features and network commands have not been implemented yet and are still a work in progress.<\/p>\n

Zscaler ThreatLabz continues to track this threat and add detections to protect our customers.
\nIndicators Of Compromise (IOCs)<\/p>\n

\t\t\tSHA256<\/p>\n

\t\t\tDescription<\/p>\n

\t\t\t555687ca3149e23ee980a3acf578e0572da556cf34c87aecf48596834d6b496f<\/p>\n

\t\t\tPikabot sample (version 1.8.32-beta)<\/p>\n

\t\t\tca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d<\/p>\n

\t\t\tPikabot sample (version 1.8.32-beta)<\/p>\n

\t\t\tIOC<\/p>\n

\t\t\tDescription<\/p>\n

\t\t\t104.129.55[.]103:2224<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t178.18.246[.]136:2078<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t158.220.80[.]167:2967<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t104.129.55[.]104:2223<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t23.226.138[.]161:5242<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t37.60.242[.]85:9785<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t23.226.138[.]143:2083<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t37.60.242[.]86:2967<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t85.239.243[.]155:5000<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t158.220.80[.]157:9785<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t65.20.66[.]218:5938<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t95.179.191[.]137:5938<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

\t\t\t139.84.237[.]229:2967<\/p>\n

\t\t\tCommand-and-Control server<\/p>\n

Zscaler Coverage<\/p>\n

In addition to sandbox detections, Zscaler\u2019s multilayered cloud security platform detects indicators related to Pikabot at various levels with the following threat names:<\/p>\n

\tWin32.Trojan.PikaBot
\n\tWin32.Downloader.PikaBot”}]]\u00a0<\/p>","protected":false},"excerpt":{"rendered":"

Introduction Pikabot is a malware loader that originally emerged in […]<\/p>\n","protected":false},"author":0,"featured_media":2405,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-2611","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zenith-zscaler"],"yoast_head":"\nThe (D)Evolution of Pikabot Nikolaos Pantazopoulos - JHC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The (D)Evolution of Pikabot Nikolaos Pantazopoulos\" \/>\n<meta property=\"og:description\" content=\"Introduction Pikabot is a malware loader that originally emerged in […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/\" \/>\n<meta property=\"og:site_name\" content=\"JHC\" \/>\n<meta property=\"article:published_time\" content=\"2024-02-29T06:54:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/02\/type-on-the-keyboard-at-home-office-2021-08-29-05-20-05-utc-iUT54u.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"700\" \/>\n\t<meta property=\"og:image:height\" content=\"467\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"25 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/\"},\"author\":{\"name\":\"\",\"@id\":\"\"},\"headline\":\"The (D)Evolution of Pikabot Nikolaos Pantazopoulos\",\"datePublished\":\"2024-02-29T06:54:14+00:00\",\"dateModified\":\"2024-02-29T06:54:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/\"},\"wordCount\":4980,\"publisher\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/02\/type-on-the-keyboard-at-home-office-2021-08-29-05-20-05-utc-iUT54u.jpeg\",\"articleSection\":[\"Zenith: Zscaler\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/\",\"url\":\"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/\",\"name\":\"The (D)Evolution of Pikabot Nikolaos Pantazopoulos - JHC\",\"isPartOf\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/02\/type-on-the-keyboard-at-home-office-2021-08-29-05-20-05-utc-iUT54u.jpeg\",\"datePublished\":\"2024-02-29T06:54:14+00:00\",\"dateModified\":\"2024-02-29T06:54:14+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/#primaryimage\",\"url\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/02\/type-on-the-keyboard-at-home-office-2021-08-29-05-20-05-utc-iUT54u.jpeg\",\"contentUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/02\/type-on-the-keyboard-at-home-office-2021-08-29-05-20-05-utc-iUT54u.jpeg\",\"width\":700,\"height\":467},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jacksonholdingcompany.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The (D)Evolution of Pikabot Nikolaos Pantazopoulos\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#website\",\"url\":\"https:\/\/jacksonholdingcompany.com\/\",\"name\":\"JHC\",\"description\":\"Your Business Is Our Business\",\"publisher\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jacksonholdingcompany.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\",\"name\":\"JHC\",\"url\":\"https:\/\/jacksonholdingcompany.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png\",\"contentUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png\",\"width\":452,\"height\":149,\"caption\":\"JHC\"},\"image\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"The (D)Evolution of Pikabot Nikolaos Pantazopoulos - JHC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/","og_locale":"en_US","og_type":"article","og_title":"The (D)Evolution of Pikabot Nikolaos Pantazopoulos","og_description":"Introduction Pikabot is a malware loader that originally emerged in […]","og_url":"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/","og_site_name":"JHC","article_published_time":"2024-02-29T06:54:14+00:00","og_image":[{"width":700,"height":467,"url":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/02\/type-on-the-keyboard-at-home-office-2021-08-29-05-20-05-utc-iUT54u.jpeg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"25 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/#article","isPartOf":{"@id":"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/"},"author":{"name":"","@id":""},"headline":"The (D)Evolution of Pikabot Nikolaos Pantazopoulos","datePublished":"2024-02-29T06:54:14+00:00","dateModified":"2024-02-29T06:54:14+00:00","mainEntityOfPage":{"@id":"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/"},"wordCount":4980,"publisher":{"@id":"https:\/\/jacksonholdingcompany.com\/#organization"},"image":{"@id":"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/#primaryimage"},"thumbnailUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/02\/type-on-the-keyboard-at-home-office-2021-08-29-05-20-05-utc-iUT54u.jpeg","articleSection":["Zenith: Zscaler"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/","url":"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/","name":"The (D)Evolution of Pikabot Nikolaos Pantazopoulos - JHC","isPartOf":{"@id":"https:\/\/jacksonholdingcompany.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/#primaryimage"},"image":{"@id":"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/#primaryimage"},"thumbnailUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/02\/type-on-the-keyboard-at-home-office-2021-08-29-05-20-05-utc-iUT54u.jpeg","datePublished":"2024-02-29T06:54:14+00:00","dateModified":"2024-02-29T06:54:14+00:00","breadcrumb":{"@id":"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/#primaryimage","url":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/02\/type-on-the-keyboard-at-home-office-2021-08-29-05-20-05-utc-iUT54u.jpeg","contentUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2024\/02\/type-on-the-keyboard-at-home-office-2021-08-29-05-20-05-utc-iUT54u.jpeg","width":700,"height":467},{"@type":"BreadcrumbList","@id":"https:\/\/jacksonholdingcompany.com\/the-devolution-of-pikabot-nikolaos-pantazopoulos\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jacksonholdingcompany.com\/"},{"@type":"ListItem","position":2,"name":"The (D)Evolution of Pikabot Nikolaos Pantazopoulos"}]},{"@type":"WebSite","@id":"https:\/\/jacksonholdingcompany.com\/#website","url":"https:\/\/jacksonholdingcompany.com\/","name":"JHC","description":"Your Business Is Our Business","publisher":{"@id":"https:\/\/jacksonholdingcompany.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jacksonholdingcompany.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jacksonholdingcompany.com\/#organization","name":"JHC","url":"https:\/\/jacksonholdingcompany.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/","url":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png","contentUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png","width":452,"height":149,"caption":"JHC"},"image":{"@id":"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts\/2611","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/comments?post=2611"}],"version-history":[{"count":0,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts\/2611\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/media\/2405"}],"wp:attachment":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/media?parent=2611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/categories?post=2611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/tags?post=2611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}