Pikabot Spam Campaign by Black Basta-Aligned Water Curupira
Pikabot malware activity was on the rise in 2023, with its distribution notably increasing to compensate for the gap left by the disruption of Qakbot's infrastructure. Trend Micro researchers have revealed that Pikabot was actively deployed in cyberattacks as early as the first quarter of 2023. However, there was a noticeable hiatus in its operations from late June until early September. This break in activity ceased around the time when law enforcement successfully dismantled Qakbot, suggesting Pikabot's emergence as a potential replacement. Moreover, Pikabot's distribution has been linked to intrusions that led to the deployment of Black Basta ransomware, with the malware activity being attributed to the threat actor known as Water Curupira. As a sophisticated loader malware used in phishing campaigns, Pikabot is adept at facilitating unauthorized remote access and executing commands via a command-and-control (C&C) server.
The Pikabot payload itself is a multi-stage, multi-component piece of malware. Upon execution, it first runs anti-analysis routines, including loading incorrect libraries and detecting sandbox environments. It then decrypts and injects a core module into a suspended process, gathering system information and forwarding it to a C&C server. This information is encrypted and includes data collected from running processes like whoami.exe, ipconfig.exe, and netstat.exe.
Water Curupira, the group behind Pikabot, has been involved in various malicious campaigns, including dropping backdoors like Cobalt Strike, which have led to Black Basta ransomware attacks. Trend Micro’s investigation reveals that Water Curupira has pivoted exclusively to Pikabot following their earlier DarkGate and IcedID campaigns.