Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware

We Keep you Connected

Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware

A threat actor called Water Curupira has been observed actively distributing the PikaBot loader malware as part of spam campaigns in 2023.
“PikaBot’s operators ran phishing campaigns, targeting victims via its two components — a loader and a core module — which enabled unauthorized remote access and allowed the execution of arbitrary commands through an established connection with their command-and-control (C&C) server,” Trend Micro said in a report published today.
The activity began in the first quarter of 2023 that lasted till the end of June, before ramping up again in September. It also overlaps with prior campaigns that have used similar tactics to deliver QakBot, specifically those orchestrated by cybercrime groups known as TA571 and TA577.
It’s believed that the increase in the number of phishing campaigns related to PikaBot is the result of QakBot’s takedown in August, with DarkGate emerging as another replacement.
PikaBot is primarily a loader, which means it’s designed to launch another payload, including Cobalt Strike, a legitimate post-exploitation toolkit that typically acts as a precursor for ransomware deployment.
The attack chains leverage a technique called email thread hijacking, employing existing email threads to trick recipients into opening malicious links or attachments, effectively activating the malware execution sequence.
The ZIP archive attachments, which either contain JavaScript or IMG files, are used as a launchpad for PikaBot. The malware, for its part, checks the system’s language and halts execution should it be either Russian or Ukrainian.
In the next step, it collects details about the victim’s system and forwards them to a C&C server in JSON format. Water Curupira’s campaigns are for the purpose of dropping Cobalt Strike, which subsequently lead to the deployment of Black Basta ransomware.
“The threat actor also conducted several DarkGate spam campaigns and a small number of IcedID campaigns during the early weeks of the third quarter of 2023, but has since pivoted exclusively to PikaBot,” Trend Micro said.
Report: Unveiling the Threat of Malicious Browser Extensions
Download the Report to learn the Risks of Malicious Extensions and Hot to Mitigate Them.
Master Cloud Security – Get FREE eBook
Comprehensive eBook covering cloud security across infrastructure, containers, and runtime environments for security professionals
Discover the key findings from a comprehensive study of 493 companies. Learn what worked, what didn’t, and how to apply these insights to your SaaS strategy in 2024.
Firewalls & VPNs can’t keep up. Discover how Zero Trust minimizes risks. Join our webinar with Zscaler & revolutionize your security strategy.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE