HQ/EMEAFind out how we can help your business
The notorious Black Basta ransomware affiliated Water Curupira has an ongoing cybercriminal activity that distributes the malicious Pikabot malware. Reports reveal a significant increase in Water Curupira’s activities during the last quarter of 2023.
This surge of malicious campaigns has highlighted their strategic shift towards deploying the Pikabot malware through phishing campaigns, particularly as an initiator for the Black Basta ransomware attacks.
Pikabot became one of the primary weapons for various threat actors since it has a sophisticated multi-stage attack mechanism, employing a decrypted shellcode to extract another DLL file, which is the actual payload.
This evolution from a secondary tool to a primary vector for malware distribution shows the evolution and adaptability of malware developers against improving cybersecurity measures.
Pikabot malware commonly spreads via spam emails.
The infection process initiated by Pikabot malware involves exploiting spam emails as the primary vector. These deceptive emails leverage thread-hijacking techniques, manipulating existing email threads to generate convincing malicious messages. The malware operators often conceal these malicious payloads within password-protected archives or deceptive PDFs, which initiates the first stage of the malware attack.
Pikabot’s characteristics resemble the infamous Qakbot malware, revealing a two-component loader and core module system. This combination provides the attackers unauthorised remote access and helps execute commands through a C2 server.
Water Curupira’s strategic approach for Pikabot in phishing campaigns associates seamlessly with their goal of distributing backdoors like Cobalt Strike, potentially setting the stage for Black Basta ransomware operations.
The threat actor’s primary strategy includes DarkGate and IcedID spam campaigns, with a discernible shift towards Pikabot as the preferred tool later in the year. This strategic adaptation shows the dynamic nature of cyber criminals and the need for constant vigilance in the cybersecurity landscape.
Therefore, users should consider being more cautious when opening email attachments to combat the rising menace of Pikabot and its affiliates. Users should diligently verify the authenticity of senders to avoid infection and thwart such campaigns.
Organisations should implement a multilayered security approach that includes endpoint protection, advanced threat detection, and regular data backups. Combining these strategies with awareness and proper knowledge could fortify defences against sophisticated threats like Pikabot.
