A threat actor called Water Curupira has been observed actively distributing the PikaBot loader malware as part of spam campaigns in 2023.
“PikaBot’s operators ran phishing campaigns, targeting victims via its two components — a loader and a core module — which enabled unauthorized remote access and allowed the execution of arbitrary commands through an established connection with their command-and-control (C&C) server,” Trend Micro said in a report published today.
The activity began in the first quarter of 2023 that lasted till the end of June, before ramping up again in September. It also overlaps with prior campaigns that have used similar tactics to deliver QakBot, specifically those orchestrated by cybercrime groups known as TA571 and TA577.
It’s believed that the increase in the number of phishing campaigns related to PikaBot is the result of QakBot’s takedown in August, with DarkGate emerging as another replacement.
PikaBot is primarily a loader, which means it’s designed to launch another payload, including Cobalt Strike, a legitimate post-exploitation toolkit that typically acts as a precursor for ransomware deployment.
The attack chains leverage a technique called email thread hijacking, employing existing email threads to trick recipients into opening malicious links or attachments, effectively activating the malware execution sequence.
In the next step, it collects details about the victim’s system and forwards them to a C&C server in JSON format. Water Curupira’s campaigns are for the purpose of dropping Cobalt Strike, which subsequently lead to the deployment of Black Basta ransomware.
“The threat actor also conducted several DarkGate spam campaigns and a small number of IcedID campaigns during the early weeks of the third quarter of 2023, but has since pivoted exclusively to PikaBot,” Trend Micro said.