Water Curupira Hackers Actively Disseminating PikaBot Malware

A notable cybersecurity threat has emerged with the identification of a threat actor named Water Curupira engaging in the active distribution of the PikaBot loader malware through targeted spam campaigns in 2023. Detailed in a report, PikaBot’s modus operandi involves phishing campaigns, leveraging a two-component structure comprising a loader and a core module. This enables unauthorized remote access and facilitates the execution of arbitrary commands by establishing a connection with the command-and-control (C&C) server.

The observed activity commenced in the first quarter of 2023, extending until the end of June, with a resurgence noted in September. Notably, this period coincides with prior campaigns utilizing similar tactics for the deployment of QakBot, particularly those orchestrated by cybercrime groups identified as TA571 and TA577.

The surge in phishing campaigns associated with PikaBot is believed to be a consequence of the takedown of QakBot in August, with the emergence of DarkGate as a potential replacement. Functioning primarily as a loader, PikaBot is designed to initiate the launch of additional payloads.

The attack chains orchestrated by Water Curupira exploit a technique known as email thread hijacking, manipulating existing email threads to deceive recipients into opening malicious links or attachments, thereby activating the malware sequence. ZIP archive attachments, housing JavaScript or IMG files, serve as the launching point for PikaBot. Notably, the malware incorporates a check for the system’s language, ceasing execution if it detects Russian or Ukrainian languages.

Following this, PikaBot collects system details and transmits them in JSON format to a C&C server. The researcher also highlighted that the threat actor, Water Curupira, initially conducted DarkGate spam campaigns and a limited number of IcedID campaigns in the early weeks of the third quarter of 2023 but has since shifted focus exclusively to PikaBot.

Enhance your organization’s resilience against PikaBot and related threats by implementing robust email security measures. Educate employees on recognizing phishing attempts, particularly those employing email thread hijacking. Regularly update security protocols, conduct system checks for vulnerabilities, and promptly apply patches. Employ advanced threat detection tools to identify and neutralize PikaBot and its associated malware.