A risk actor known as Water Curupira has been noticed actively distributing the PikaBot loader malware as a part of spam campaigns in 2023.
“PikaBot’s operators ran phishing campaigns, concentrating on victims by way of its two elements — a loader and a core module — which enabled unauthorized distant entry and allowed the execution of arbitrary instructions by way of a longtime reference to their command-and-control (C&C) server,” Development Micro stated in a report printed immediately.
The exercise started within the first quarter of 2023 that lasted until the tip of June, earlier than ramping up once more in September. It additionally overlaps with prior campaigns which have used related ways to ship QakBot, particularly these orchestrated by cybercrime teams often called TA571 and TA577.
It is believed that the rise within the variety of phishing campaigns associated to PikaBot is the results of QakBot’s takedown in August, with DarkGate rising as one other substitute.
PikaBot is primarily a loader, which suggests it is designed to launch one other payload, together with Cobalt Strike, a authentic post-exploitation toolkit that sometimes acts as a precursor for ransomware deployment.
The assault chains leverage a way known as electronic mail thread hijacking, using current electronic mail threads to trick recipients into opening malicious hyperlinks or attachments, successfully activating the malware execution sequence.
The ZIP archive attachments, which both comprise JavaScript or IMG recordsdata, are used as a launchpad for PikaBot. The malware, for its half, checks the system’s language and halts execution ought to it’s both Russian or Ukrainian.
Within the subsequent step, it collects particulars concerning the sufferer’s system and forwards them to a C&C server in JSON format. Water Curupira’s campaigns are for the aim of dropping Cobalt Strike, which subsequently result in the deployment of Black Basta ransomware.
“The risk actor additionally carried out a number of DarkGate spam campaigns and a small variety of IcedID campaigns through the early weeks of the third quarter of 2023, however has since pivoted completely to PikaBot,” Development Micro stated.
