Water Curupira hackers are actively spreading PikaBot Loader malware

PikaBot Loader Malware

A threat actor named Water Curupira has been observed actively using the PikaBot loader malware as part of spam campaigns in 2023.

“PikaBot’s operators conducted phishing campaigns, targeting victims through its two components – a loader and a core module – that enabled unauthorized remote access and the execution of arbitrary commands through an established connection to their command-and-control (C&C) server,” TrendMicro said in a report published today.

Activity started in the first quarter of 2023 and lasted until the end of June before picking up again in September. It also overlaps with previous campaigns that have used similar tactics to deliver QakBot, particularly those orchestrated by cybercrime groups known as TA571 and TA577.

It is believed that the increase in phishing campaigns related to PikaBot is a result of the removal of QakBot in August, with DarkGate emerging as a new replacement.

PikaBot is primarily a loader, meaning it is designed to launch another payload, including Cobalt Strike, a legitimate post-exploitation toolkit that typically acts as a precursor for ransomware deployment.

The attack chains use a technique called hijacking of email threadswhere existing email threads are used to trick recipients into opening malicious links or attachments, effectively triggering the malware execution sequence.

The ZIP archive attachments, which contain JavaScript or IMG files, are used as a starting point for PikaBot. The malware in turn checks the language of the system and stops execution if it is Russian or Ukrainian.

In the next step, it collects details about the victim’s system and forwards them to a C&C server in JSON format. Water Curupira’s campaigns aim to drop Cobalt Strike, which then led to the deployment of the Black Basta ransomware.

“The threat actor also ran several DarkGate spam campaigns and a small number of IcedID campaigns in the early weeks of Q3 2023, but has since focused solely on PikaBot,” Trend Micro said.


#Water #Curupira #hackers #actively #spreading #PikaBot #Loader #malware

Notify of
Inline Feedbacks
View all comments
Previous Post

Mandiant’s Twitter account restored after six-hour crypto scam hack

Next Post
Turkish Hackers

Turkish hackers are abusing poorly secured MS SQL servers around the world

Related Posts