In 2023, the threat actor known as Water Curupira has been actively disseminating the PikaBot loader malware through spam campaigns.
All about PikaBot Loader Malware
In a recently published report, Trend Micro stated that the operators of PikaBot conducted phishing campaigns, focusing on victims through its two components — a loader and a core module. These components facilitated unauthorized remote access and permitted the execution of arbitrary commands by establishing a connection with their command-and-control (C&C) server.
The surge in PikaBot-related phishing campaigns is thought to stem from the takedown of QakBot in August, with DarkGate emerging as its replacement.
Functioning primarily as a loader, PikaBot is designed to initiate another payload, such as Cobalt Strike, a legitimate post-exploitation toolkit commonly used as a precursor for deploying ransomware.
The attack chains employ a technique known as email thread hijacking, utilizing existing email threads to deceive recipients into opening malicious links or attachments, thereby initiating the malware execution sequence.
The ZIP archive attachments, housing either JavaScript or IMG files, serve as the starting point for PikaBot. The malware, in turn, examines the system’s language and ceases execution if it is either Russian or Ukrainian.
In the subsequent phase, PikaBot gathers information about the victim’s system and transmits it to a C&C server in JSON format. Water Curupira’s campaigns aim to deploy Cobalt Strike, which, in turn, leads to the activation of the Black Basta ransomware.
Trend Micro reported that the threat actor initially carried out DarkGate spam campaigns and a limited number of IcedID campaigns in the early weeks of the third quarter of 2023. However, they have now shifted exclusively to PikaBot.
Indicators of Compromise
Email MD5 Subject 4deb812eeae3c499530e1bd4f0e108ba 20231121084934-Re_ PRJIT80245790581.202307.1038- 5be9d3aa133d23c439e5181da7450323 20231121085513-Re_ IMPORTANT COMMUNICATION FROM OU- de2cab21e6342cf20535b0734d5ca3c0 20231121085656-Re_ URGENTE - Op4148301 - 003- 222b1793938f507877ee194ba0acd86b 20231121090601-Re_ W4M_2457 _ Condomínio do- 7d6a6233a8792ea216a529836c13e923 20231121091041-Re_ NOS561681398996_NIF 501585- 22be88cf8f57d9412eaa40c541f08eb2 20231121090330-Re_ Falhas de arranqque sucessiv- c28f33fee92fd7396fdb5792dea90365 202311211437_Scanned from a Xerox Multifunction Printer 2430e3a9d5c97d0184f8af59abda4abb 20231121084051-Re_ THE FATHER - Cine-Teatro Marq- SHA256 Malicious PDF detection name 4c267d4f7155d7f0686d1ac2ea861eaa926fd41a9d71e8f6952caf24492b376b Trojan.LNK.PIKABOT.YXDKVZ fbd63777f81cebd7a9f2f1c7f2a8982499fe4d18b9f4aa4e7ed589ceefac47de Trojan.PDF.PIKABOT.A 29a12bf2f2ff68027ae042a24f1c1285c6bc4b7a495d3d2a8f565ef67141eca8 Trojan.PDF.PIKABOT.B 6c13985e067cfad583bb1f5751821e649a61a41171a5f95ee9dfd254c04f71a8 Trojan.PDF.PIKABOT.B ed4bba5e886871527fa56beb280f222ef0fde97686db00a74ee02c1a44a0094d Trojan.PDF.PIKABOT.B 1d365a8a2e72a81a6ffbc6c0c32b28e580872e57df184c270b4fa47ac8b8bf2b Trojan.PDF.PIKABOT.B b436380d62babc42fa6b3adc592e1b6b0bd05c5cb1b0c08aa5c55eae738729e7 Trojan.PDF.PIKABOT.C 980e2dccc3b83bab32b13f82091f37a2ffcf302c7fb7e87532c7c618f68c0753 Trojan.PDF.PIKABOT.C 6f9b2fdac415c7eb7fcc31c5ff9aac7e6347ddf4747985b7bac4f76a6f9da193 Trojan.PDF.PIKABOT.C 3b13380f7dfd615707887f3e8904f432aacdbb111822dd596a44366cb5526624 Trojan.PDF.PIKABOT.YXDLNZ 8045ea8720b66291e3c00f6fd1925de11241410421851b7cabe4a707875a1004 Trojan.PDF.PIKABOT.YADLN SHA256 Malicious JS detection name 7808be7f2b92c775f6ef047ffc857d8731e75bf486a45fec1c4d199b43c5a6c2 Trojan.JS.PIKABOT.YXDKFZ 1dd66462bd11d65247fff82ae81358c9e1b5e1024a953478b8a5de8f5fc5443a Trojan.JS.PIKABOT.A ea63ac688aec3ab8920d83617f214922c16aedee341edbe3a18469179555fb21 Trojan.JS.PIKABOT.A 07279c93f0532a4f5bc4617ab3cb30b7c336f71f587e934a5a0e35ce88fbf632 Trojan.JS.PIKABOT.A 2dad1218d4950ba3a84cfce17af2d8d4ece92f623338d49b357ec9d973ecf8a8 Trojan.JS.PIKABOT.A 33e03a536f869dee3ffa0b1bc8c885f77c50d0a7974b6e9b4041a5a254255c34 Trojan.JS.PIKABOT.A 1a12028a0e0ecc32160e5372a45d95e3045421906f2c807b7c4c8f4a85d47469 Trojan.JS.PIKABOT.A 1dd66462bd11d65247fff82ae81358c9e1b5e1024a953478b8a5de8f5fc5443a Trojan.JS.PIKABOT.A 33e03a536f869dee3ffa0b1bc8c885f77c50d0a7974b6e9b4041a5a254255c34 Trojan.JS.PIKABOT.A 6e18eb1884d2a1a20a0d6a4dcdaf1b7ab342271b2de0d0327848f37eb45e785e Trojan.JS.PIKABOT.D 7094f89bf955dfbdcc4de8943af2328aa7475c2fb6af305c76a6df73aff8b1c3 Trojan.JS.PIKABOT.B 2c49ff53d0cf0ea36f34148598b8eacca12a1a654bfc09c4e00d6b60a8ad57fe Trojan.JS.PIKABOT.B 8514b9d2fe185989d996a2669788910405af5e8fd7102ab3decdd4d727af35df Trojan.JS.PIKABOT.B 79b1ac4dc5cae6d03548c2ab570e98f9cfb7e4da24480ce3d513b1abdd13bf21 Trojan.JS.PIKABOT.YXDKDZ 1dd66462bd11d65247fff82ae81358c9e1b5e1024a953478b8a5de8f5fc5443a Trojan.JS.PIKABOT.A
Pikabot downloader hxxps://sindicaturadetecate[.]gob[.]mx/pe/?IDbHJCMofpEIzDQjrcwNcDqHoiQRnSKZQcA hxxps://lsn[.]edu[.]dz/pqis/?aWDzZBatBsyv hxxp:188[.]34[.]192[.]184/76DKN6/Wheez hxxps://brouweres[.]com:443/vvs49/0.6515179055030298.dat hxxps://brouweres[.]com:443/vvs49/0.8450027286577588.dat hxxps://brouweres[.]com:443/vvs49/0.15313287608559223.dat hxxps://brouweres[.]com:443/vvs49/0.9900618798908114.dat
Pikabot C&C server 15[.]235[.]202[.]109:2226 15[.]235[.]44[.]231:5938 15[.]235[.]45[.]155:2221 15[.]235[.]47[.]206:13783 15[.]235[.]47[.]80:23399 154[.]221[.]30[.]136:13724 154[.]61[.]75[.]156:2078 154[.]92[.]19[.]139:2222 188[.]26[.]127[.]4:13785 210[.]243[.]8[.]247:23399 51[.]195[.]232[.]97:13782 51[.]68[.]147[.]114:2083 51[.]79[.]143[.]215:13783 64[.]176[.]5[.]228:13783 154[.]221[.]30[.]136:13724 137[.]220[.]55[.]190:2223 210[.]243[.]8[.]247:23399 65[.]20[.]78[.]68:13721 139[.]180[.]216[.]25:2967 70[.]34[.]209[.]101:13720 154[.]92[.]19[.]139:2222 172[.]233[.]156[.]100:13721 154[.]61[.]75[.]156:2078 64[.]176[.]67[.]194:2967 158[.]247[.]253[.]155:2225 139[.]180[.]216[.]25:2967 70[.]34[.]209[.]101:13720 172[.]233[.]156[.]100:13721 154[.]92[.]19[.]139:2222 154[.]61[.]75[.]156:2078 137[.]220[.]55[.]190:2223
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment