A risk actor named Drinking water Curupira has been observed actively distributing the PikaBot loader malware as component of spam campaigns in 2023.
“PikaBot’s operators ran phishing campaigns, targeting victims via its two elements — a loader and a core module — which enabled unauthorized remote accessibility and allowed the execution of arbitrary instructions by an established link with their command-and-handle (C&C) server,” Trend Micro claimed in a report revealed nowadays.
The activity commenced in the 1st quarter of 2023 that lasted until the finish of June, before ramping up all over again in September. It also overlaps with prior strategies that have utilized related strategies to deliver QakBot, especially all those orchestrated by cybercrime groups identified as TA571 and TA577.
It really is believed that the boost in the amount of phishing strategies connected to PikaBot is the final result of QakBot’s takedown in August, with DarkGate emerging as a further alternative.
PikaBot is principally a loader, which implies it really is made to launch another payload, like Cobalt Strike, a genuine put up-exploitation toolkit that generally acts as a precursor for ransomware deployment.
The attack chains leverage a technique referred to as email thread hijacking, utilizing present email threads to trick recipients into opening destructive hyperlinks or attachments, successfully activating the malware execution sequence.
The ZIP archive attachments, which either incorporate JavaScript or IMG information, are made use of as a launchpad for PikaBot. The malware, for its part, checks the system’s language and halts execution really should it be possibly Russian or Ukrainian.
In the subsequent move, it collects details about the victim’s process and forwards them to a C&C server in JSON format. Water Curupira’s strategies are for the intent of dropping Cobalt Strike, which subsequently guide to the deployment of Black Basta ransomware.
“The danger actor also executed various DarkGate spam campaigns and a small range of IcedID campaigns through the early months of the third quarter of 2023, but has considering that pivoted exclusively to PikaBot,” Development Micro mentioned.
Located this posting intriguing? Comply with us on Twitter and LinkedIn to browse far more unique content we put up.
Some parts of this article are sourced from:
thehackernews.com