Pikabot Spam Campaign by Black Basta-Aligned Water Curupira

Pikabot malware activity was on the rise in 2023, with its distribution notably increasing to compensate for the gap left by the disruption of Qakbot's infrastructure. Trend Micro researchers have revealed that Pikabot was actively deployed in cyberattacks as early as the first quarter of 2023. However, there was a noticeable hiatus in its operations from late June until early September. This break in activity ceased around the time when law enforcement successfully dismantled Qakbot, suggesting Pikabot's emergence as a potential replacement. Moreover, Pikabot's distribution has been linked to intrusions that led to the deployment of Black Basta ransomware, with the malware activity being attributed to the threat actor known as Water Curupira. As a sophisticated loader malware used in phishing campaigns, Pikabot is adept at facilitating unauthorized remote access and executing commands via a command-and-control (C&C) server.

Pikabot’s infection process is reported to begin with phishing emails containing either a ZIP or PDF attachment. These emails often employ thread-hijacking techniques, using previously stolen email threads to create convincing fraudulent messages. Once the victim opens the attachment, a heavily obfuscated JavaScript file is executed. This script employs a series of commands using cmd.exe and, if necessary, uses Curl.exe to download the Pikabot payload from an external server. The script then uses rundll32.exe to execute the downloaded payload. Another attack vector observed involves IMG files containing a disguised LNK file and the Pikabot DLL payload, which is executed using rundll32.exe.

The Pikabot payload itself is a multi-stage, multi-component piece of malware. Upon execution, it first runs anti-analysis routines, including loading incorrect libraries and detecting sandbox environments. It then decrypts and injects a core module into a suspended process, gathering system information and forwarding it to a C&C server. This information is encrypted and includes data collected from running processes like whoami.exe, ipconfig.exe, and netstat.exe.

Water Curupira, the group behind Pikabot, has been involved in various malicious campaigns, including dropping backdoors like Cobalt Strike, which have led to Black Basta ransomware attacks. Trend Micro’s investigation reveals that Water Curupira has pivoted exclusively to Pikabot following their earlier DarkGate and IcedID campaigns.