Source: Negro Elkha via Adobe Stock Photo
A threat actor associated with Black Basta ransomware attacks has been wielding a new loader similar to the notoriously hard-to-kill Qakbot, in a widespread phishing campaign aimed at gaining entry to organization networks for further malicious activity.
Tracked as Water Curupira by Trend Micro, the actor is best known for conducting dangerous campaigns to drop backdoors such as Cobalt Strike that ultimately lead to Black Basta ransomware attacks, researchers said in a post published Jan. 9.
Water Curupira was active in the first quarter of 2023, then appeared to take a break the end of June that lasted until the start of September, when campaigns started in earnest again, according to Trend Micro. Recently, the actor has conducted phishing campaigns that drop a new loader, Pikabot — which has similarities to and could even be a replacement for Qakbot, an initial access Trojan which often preceded Black Basta ransomware and was taken down in a law-enforcement operation called Operation Duck Hunt in August 2023.
"An increase in the number of phishing campaigns related to Pikabot was recorded in the last quarter of 2023, coinciding with the takedown of Qakbot," according to the post, attributed to Trend Micro researchers.
Water Curupira also conducted several DarkGate spam and IcedID campaigns during the early weeks of the third quarter of 2023, but has since pivoted exclusively to Pikabot, they said.
Qakbot has persisted as a threat even after its takedown, which put the malware out of commission on some 700,000 infected machines. But Pikabot — which includes both a loader and core module within the same file, as well as a shellcode that decrypts a payload in the form of DLL file from its resources — also has emerged in Water Curupira's campaigns with a similar mission.
So far, the researchers have observed distinct clusters of Cobalt Strike beacons with more than 70 command-and-control (C2) domains leading to Black Basta that have been dropped by Water Curupira campaigns, they said.
Thread-Jacking for Legitimacy
Water Curupira's Pikabot campaigns begin with phishing emails that employ thread-jacking, a technique that uses existing email threads — possibly stolen from previous victims — to create emails that look like they are part of a previous conversation. This increases the likelihood that a victim will think the email is legitimate and engage with the threat actor.
The campaign sends emails using addresses that are created either through new domains or free email services that use names that can be found in original hijacked email threads. The message includes most of the content of the original thread, including the email subject, but also adds a short message on top directing the recipient to open a malicious email attachment.
The attachment is either a password-protected archive .ZIP file containing an .IMG file, or a .PDF file that contains a heavily obfuscated JavaScript, and the password to the file is included in the email message. The actor used various names and passwords for file attachments observed in the campaign, the researchers noted.
Once executed by the victim, the JavaScript will attempt to execute a series of commands using conditional execution to get to its eventual download of Pikabot from an external server, and then execution of the malware.
If the malicious attachment is an .IMG file, it contains two additional files — a .LNK file posing as a Word document and a DLL file, the latter of which is the Pikabot payload extracted straight from the email attachment.
As far as the payload itself, Pikabot won't attack a system if it detects the use of Russian or Ukrainian as its core language, suggesting that Water Curupira may be aligned with one or both of those countries. Its core module conducts a multi-stage attack that exfiltrates various details about the infected system and sends them a C2 controlled by the actor, which then has access to the system to carry out further malicious activity.
Avoiding Pikabot Malware Compromise
Trend Micro included a list of indicators of compromise (IoCs) in the post and advised that all users should maintain vigilance when receiving emails, employing best practices to avoid falling victim to phishing, which remains a key way that threat actors gain initial entry into corporate systems.
Those practices should include hovering over embedded links with the pointer to learn where the link leads, as well as checking the sender's identity, being sure to flag unfamiliar email addresses, mismatched email and sender names, and spoofed company emails as likely malicious.
If the email claims to come from a legitimate company, recipients should verify both the sender and the email content before downloading attachments or selecting embedded links. The researchers also advised basic security hygiene to keep OSes and other software updated with the latest patches, as well as regular backups to keep essential data saved in an external, secure location.