Article Details
Scrape Timestamp (UTC): 2024-01-09 16:04:11.592
Source: https://thehackernews.com/2024/01/alert-water-curupira-hackers-actively.html
Original Article Text
Click to Toggle View
Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware. A threat actor called Water Curupira has been observed actively distributing the PikaBot loader malware as part of spam campaigns in 2023. "PikaBot's operators ran phishing campaigns, targeting victims via its two components — a loader and a core module — which enabled unauthorized remote access and allowed the execution of arbitrary commands through an established connection with their command-and-control (C&C) server," Trend Micro said in a report published today. The activity began in the first quarter of 2023 that lasted till the end of June, before ramping up again in September. It also overlaps with prior campaigns that have used similar tactics to deliver QakBot, specifically those orchestrated by cybercrime groups known as TA571 and TA577. It's believed that the increase in the number of phishing campaigns related to PikaBot is the result of QakBot's takedown in August, with DarkGate emerging as another replacement. PikaBot is primarily a loader, which means it's designed to launch another payload, including Cobalt Strike, a legitimate post-exploitation toolkit that typically acts as a precursor for ransomware deployment. The attack chains leverage a technique called email thread hijacking, employing existing email threads to trick recipients into opening malicious links or attachments, effectively activating the malware execution sequence. The ZIP archive attachments, which either contain JavaScript or IMG files, are used as a launchpad for PikaBot. The malware, for its part, checks the system's language and halts execution should it be either Russian or Ukrainian. In the next step, it collects details about the victim's system and forwards them to a C&C server in JSON format. Water Curupira's campaigns are for the purpose of dropping Cobalt Strike, which subsequently lead to the deployment of Black Basta ransomware. "The threat actor also conducted several DarkGate spam campaigns and a small number of IcedID campaigns during the early weeks of the third quarter of 2023, but has since pivoted exclusively to PikaBot," Trend Micro said. The Ultimate Enterprise Browser Checklist Download a Concrete and Actionable Checklist for Finding a Browser Security Platform. Master Cloud Security - Get FREE eBook Comprehensive eBook covering cloud security across infrastructure, containers, and runtime environments for security professionals
Daily Brief Summary
Water Curupira threat group actively engaged in distributing PikaBot loader malware through spam campaigns.
Phishing campaigns involved a two-component system allowing remote access and execution of commands via a command-and-control server.
The campaigns began in early 2023, surged again in September, and show similarities to past QakBot-related activities by groups TA571 and TA577.
PikaBot serves as an initial payload delivery mechanism to facilitate further malware attacks, such as Cobalt Strike and ultimately ransomware.
Attackers utilize email thread hijacking, making use of ongoing conversations to spread malicious links or files, which trigger the malware.
The malware contains language checks to halt execution for systems with Russian or Ukrainian settings and gathers system details to send to C&C servers.
Primary goal of Water Curupira's campaigns is to deploy Cobalt Strike beacons leading to Black Basta ransomware infections.
Despite engaging in DarkGate and IcedID campaigns earlier in the year, the group has since focused on propagating PikaBot exclusively.