[ad_1]
A menace actor referred to as Water Curupira has been noticed actively distributing the PikaBot loader malware as a part of spam campaigns in 2023.
“PikaBot’s operators ran phishing campaigns, focusing on victims through its two elements — a loader and a core module — which enabled unauthorized distant entry and allowed the execution of arbitrary instructions via a longtime reference to their command-and-control (C&C) server,” Pattern Micro mentioned in a report revealed right now.
The exercise started within the first quarter of 2023 that lasted until the tip of June, earlier than ramping up once more in September. It additionally overlaps with prior campaigns which have used related techniques to ship QakBot, particularly these orchestrated by cybercrime teams referred to as TA571 and TA577.
It is believed that the rise within the variety of phishing campaigns associated to PikaBot is the results of QakBot’s takedown in August, with DarkGate rising as one other alternative.
PikaBot is primarily a loader, which implies it is designed to launch one other payload, together with Cobalt Strike, a authentic post-exploitation toolkit that sometimes acts as a precursor for ransomware deployment.
The assault chains leverage a way referred to as e-mail thread hijacking, using current e-mail threads to trick recipients into opening malicious hyperlinks or attachments, successfully activating the malware execution sequence.
The ZIP archive attachments, which both include JavaScript or IMG information, are used as a launchpad for PikaBot. The malware, for its half, checks the system’s language and halts execution ought to it’s both Russian or Ukrainian.
Within the subsequent step, it collects particulars in regards to the sufferer’s system and forwards them to a C&C server in JSON format. Water Curupira’s campaigns are for the aim of dropping Cobalt Strike, which subsequently result in the deployment of Black Basta ransomware.
“The menace actor additionally performed a number of DarkGate spam campaigns and a small variety of IcedID campaigns through the early weeks of the third quarter of 2023, however has since pivoted completely to PikaBot,” Pattern Micro mentioned.
[ad_2]