Trend Micro observed the Water Curupira actively propagating the Pikabot loader malware as part of campaigns, more aggressively in Q4 2023. Water Curupira is a Black Basta ransomware affiliate.
Diving into Details
Pikabot gained notoriety for its sophisticated multi-stage attack mechanism, capable of deploying a decrypted shellcode that extracts another DLL file, the actual payload.
Water Curupira's usage of Pikabot in phishing campaigns aligns with their strategy to distribute backdoors like Cobalt Strike, potentially leading to Black Basta ransomware attacks.
The threat actor also conducted several DarkGate and IcedID spam campaigns, pivoting primarily to Pikabot later in the year.
Infection process
Pikabot's initial access to victim machines is typically through spam emails containing malicious archives or PDF attachments.
These emails use thread-hijacking techniques, where existing email threads are hijacked to create convincing malicious messages.
The attachments, which can be password-protected archives or deceptive PDFs, trigger the first stage of the malware attack.
Pikabot reportedly exhibits characteristics similar to the Qakbot malware, and operates as a two-component system: a loader and a core module.
These components facilitate unauthorized remote access and enable the execution of commands via a command-and-control server.
The bottom line
The evolution of Pikabot from a secondary tool to a primary vector for malware distribution highlights the agility and adaptability of cybercriminals. To mitigate such threats, users must exercise caution with email attachments and verify sender authenticity. Organizations are advised to adopt a multilayered security approach, including endpoint protection, advanced threat detection, and regular data backups. These strategies, along with awareness and education, are critical in defending against sophisticated threats like Pikabot.