Water Curupira, an active threat actor, has been identified distributing the PikaBot loader malware through spam campaigns in 2023. The malware, consisting of a loader and a core module, facilitates unauthorized remote access and execution of arbitrary commands by establishing a connection with its command-and-control (C&C) server, as reported by Trend Micro. This malicious activity, initiated in the first quarter and resurfacing in September, coincides with previous campaigns linked to cybercrime groups TA571 and TA577, both known for deploying QakBot. The rise in PikaBot-related phishing campaigns is attributed to the takedown of QakBot in August, with the emergence of DarkGate as a successor.
PikaBot, primarily a loader, is designed to launch additional payloads, including the notorious Cobalt Strike, a post-exploitation toolkit commonly associated with ransomware deployment. The attackers employ email thread hijacking as a technique, manipulating existing email threads to deceive recipients into opening malicious links or attachments, initiating the malware execution sequence. The payload is often concealed within ZIP archive attachments containing JavaScript or IMG files, functioning as a launchpad for PikaBot. Notably, the malware exhibits a strategic evasion tactic, checking the system’s language and ceasing execution if it is either Russian or Ukrainian.
Further analysis reveals that PikaBot, orchestrated by Water Curupira, collects system details and transmits them to a C&C server in JSON format. The campaigns orchestrated by Water Curupira initially involved DarkGate spam campaigns and a few IcedID campaigns in the early weeks of the third quarter of 2023 but have since pivoted exclusively to PikaBot. The ultimate goal of these campaigns is to drop Cobalt Strike, leading to the subsequent deployment of the Black Basta ransomware. This strategic evolution underscores the dynamic nature of cyber threats, as threat actors adapt and shift tactics in response to security measures and disruptions in the cyber landscape.
