A risk actor referred to as Water Curupira has been noticed actively distributing the PikaBot loader malware as a part of spam campaigns in 2023.
“PikaBot’s operators ran phishing campaigns, concentrating on victims through its two parts — a loader and a core module — which enabled unauthorized distant entry and allowed the execution of arbitrary instructions by a longtime reference to their command-and-control (C&C) server,” Pattern Micro stated in a report revealed at the moment.
The exercise started within the first quarter of 2023 that lasted until the tip of June, earlier than ramping up once more in September. It additionally overlaps with prior campaigns which have used related techniques to ship QakBot, particularly these orchestrated by cybercrime teams often called TA571 and TA577.
It is believed that the rise within the variety of phishing campaigns associated to PikaBot is the results of QakBot’s takedown in August, with DarkGate rising as one other alternative.
PikaBot is primarily a loader, which implies it is designed to launch one other payload, together with Cobalt Strike, a reliable post-exploitation toolkit that usually acts as a precursor for ransomware deployment.
The assault chains leverage a way referred to as electronic mail thread hijacking, using current electronic mail threads to trick recipients into opening malicious hyperlinks or attachments, successfully activating the malware execution sequence.
The ZIP archive attachments, which both comprise JavaScript or IMG information, are used as a launchpad for PikaBot. The malware, for its half, checks the system’s language and halts execution ought to or not it’s both Russian or Ukrainian.
Within the subsequent step, it collects particulars in regards to the sufferer’s system and forwards them to a C&C server in JSON format. Water Curupira’s campaigns are for the aim of dropping Cobalt Strike, which subsequently result in the deployment of Black Basta ransomware.
“The risk actor additionally performed a number of DarkGate spam campaigns and a small variety of IcedID campaigns throughout the early weeks of the third quarter of 2023, however has since pivoted completely to PikaBot,” Pattern Micro stated.
