Pikabot Malware Surfaces As Qakbot Replacement for Black Basta Attacks

A threat actor associated with Black Basta ransomware attacks has been wielding a new loader similar to the notoriously hard-to-kill Qakbot, in a widespread phishing campaign aimed at gaining entry to organization networks for further malicious activity.
Tracked as Water Curupira by Trend Micro, the actor is best known for conducting dangerous campaigns to drop backdoors such as Cobalt Strike that ultimately lead to Black Basta ransomware attacks, researchers said in a post published Jan. 9.
Water Curupira was active in the first quarter of 2023, then appeared to take a break the end of June that lasted until the start of September, when campaigns started in earnest again, according to Trend Micro.
Recently, the actor has conducted phishing campaigns that drop a new loader, Pikabot - which has similarities to and could even be a replacement for Qakbot, an initial access Trojan which often preceded Black Basta ransomware and was taken down in a law-enforcement operation called Operation Duck Hunt in August 2023.
Water Curupira also conducted several DarkGate spam and IcedID campaigns during the early weeks of the third quarter of 2023, but has since pivoted exclusively to Pikabot, they said.
Qakbot has persisted as a threat even after its takedown, which put the malware out of commission on some 700,000 infected machines.
Pikabot - which includes both a loader and core module within the same file, as well as a shellcode that decrypts a payload in the form of DLL file from its resources - also has emerged in Water Curupira's campaigns with a similar mission.
The researchers have observed distinct clusters of Cobalt Strike beacons with more than 70 command-and-control domains leading to Black Basta that have been dropped by Water Curupira campaigns, they said.
Thread-Jacking for Legitimacy Water Curupira's Pikabot campaigns begin with phishing emails that employ thread-jacking, a technique that uses existing email threads - possibly stolen from previous victims - to create emails that look like they are part of a previous conversation.
This increases the likelihood that a victim will think the email is legitimate and engage with the threat actor.
The campaign sends emails using addresses that are created either through new domains or free email services that use names that can be found in original hijacked email threads.
The message includes most of the content of the original thread, including the email subject, but also adds a short message on top directing the recipient to open a malicious email attachment.
IMG file, or a.PDF file that contains a heavily obfuscated JavaScript, and the password to the file is included in the email message.
The actor used various names and passwords for file attachments observed in the campaign, the researchers noted.
Once executed by the victim, the JavaScript will attempt to execute a series of commands using conditional execution to get to its eventual download of Pikabot from an external server, and then execution of the malware.
IMG file, it contains two additional files - a.LNK file posing as a Word document and a DLL file, the latter of which is the Pikabot payload extracted straight from the email attachment.
As far as the payload itself, Pikabot won't attack a system if it detects the use of Russian or Ukrainian as its core language, suggesting that Water Curupira may be aligned with one or both of those countries.
Avoiding Pikabot Malware Compromise Trend Micro included a list of indicators of compromise in the post and advised that all users should maintain vigilance when receiving emails, employing best practices to avoid falling victim to phishing, which remains a key way that threat actors gain initial entry into corporate systems.
Those practices should include hovering over embedded links with the pointer to learn where the link leads, as well as checking the sender's identity, being sure to flag unfamiliar email addresses, mismatched email and sender names, and spoofed company emails as likely malicious.
If the email claims to come from a legitimate company, recipients should verify both the sender and the email content before downloading attachments or selecting embedded links.


This Cyber News was published on www.darkreading.com. Publication date: Wed, 10 Jan 2024 16:35:32 +0000


Cyber News related to Pikabot Malware Surfaces As Qakbot Replacement for Black Basta Attacks

More than $100 million in ransom paid to Black Basta gang over nearly 2 years - The Black Basta cybercrime gang has raked in at least $107 million in ransom payments since early 2022, according to research from blockchain security company Elliptic and Corvus Insurance. The group has infected more than 329 victim organizations ...
11 months ago Therecord.media
Pikabot Malware Surfaces As Qakbot Replacement for Black Basta Attacks - A threat actor associated with Black Basta ransomware attacks has been wielding a new loader similar to the notoriously hard-to-kill Qakbot, in a widespread phishing campaign aimed at gaining entry to organization networks for further malicious ...
10 months ago Darkreading.com
Water Curupira Hackers Launch Pikabot Malware Attack Windows - Pikabot is a loader malware that is active in spam campaigns and has been used by the threat group Water Curupira, which has been paused from June to September 2023 after Qakbot's takedown. The surge in Pikabot phishing campaigns was noted recently ...
10 months ago Gbhackers.com
Black Basta's ransom haul tops $100M in less than 2 years - The Black Basta ransomware gang has raked in more than $100 million from victims of its double-extortion attacks since its emergence early last year, according to researchers. The haul - which included grabbing $9 million from one victim and more ...
11 months ago Packetstormsecurity.com
Qbot malware returns in campaign targeting hospitality industry - The QakBot malware is once again being distributed in phishing campaigns after the botnet was disrupted by law enforcement over the summer. In August, a multinational law enforcement operation called Operation Duck Hunt accessed the QakBot admin's ...
11 months ago Bleepingcomputer.com
Black Basta Buster Utilizes Ransomware Flaw to Recover Files - Security research and consulting firm SRLabs exploited a vulnerability in the encryption algorithm of a specific strain of Black Basta ransomware to develop and release a decryptor tool named Black Basta Buster. This tool, released in response to the ...
10 months ago Heimdalsecurity.com
Black Basta ransomware made over $100 million from extortion - Russia-linked ransomware gang Black Basta has raked in at least $100 million in ransom payments from more than 90 victims since it first surfaced in April 2022, according to joint research from Corvus Insurance and Elliptic. Over 329 victims ...
11 months ago Bleepingcomputer.com
Black Basta Ransomware Group Makes $100m Since 2022 - A prolific Russian-speaking ransomware group has made over $100m from dozens of victims since April 2022, new analysis has revealed. Corvus Insurance used the Elliptic Investigator blockchain forensics tool to lift the lid on the Black Basta group. ...
11 months ago Infosecurity-magazine.com
New Black Basta decryptor exploits ransomware flaw to recover files - Researchers have created a decryptor that exploits a flaw in Black Basta ransomware, allowing victims to recover their files for free. The decryptor allows Black Basta victims from November 2022 to this month to potentially recover their files for ...
10 months ago Bleepingcomputer.com
Qakbot Sightings Confirm Law Enforcement Takedown Was Only a Setback - In recent days, several security vendors have reported seeing the malware being distributed via phishing emails that target organizations in the hospitality sector. For the moment, the email volumes appear to be relatively low. Given the tenacity ...
11 months ago Darkreading.com
SRLabs develops Black Basta ransomware decryptor - Researchers released a decryptor to help the numerous victims of one of 2023's most prolific double-extortion ransomware gangs, Black Basta, restore their compromised files for free. Black Basta is believed to have attacked well over 300 ...
10 months ago Packetstormsecurity.com
Learn How to Decrypt Black Basta Ransomware Attack Without Paying Ransom - Researchers have created a tool designed to exploit a vulnerability in the Black Basta ransomware, allowing victims to recover their files without succumbing to ransom demands. This decryption tool potentially provides a remedy for individuals who ...
10 months ago Cysecurity.news
'Black Basta Buster' Exploits Ransomware Bug for File Recovery - Researchers have exploited a weakness in a particular strain of the Black Basta ransomware to release a decryptor for the malware, but it doesn't recover all of the files encrypted by the prolific cybercriminal gang. Security research and consulting ...
10 months ago Darkreading.com
New Ransomware Threat Hits Hundreds of Organisations Worldwide - Until November 2023, this group with suspected ties to Russia has accumulated ransom payments totaling a minimum of $100 million from over 90 victims. In a recent joint report by the Cybersecurity and Infrastructure Security Agency and the Federal ...
6 months ago Cysecurity.news
New QakBot phishing campaign appears, months after FBI takedown - Months after an international law enforcement operation dismantled the notorious QakBot botnet, a new phishing campaign distributing the same malicious payload has been discovered. QakBot was one of the most deployed malware loaders in 2023 until an ...
11 months ago Packetstormsecurity.com
Qakbot returns: FBI-led takedown lasts just 3 months The Register - Multiple sources are confirming the resurgence of Qakbot malware mere months after the FBI and other law enforcement agencies shuttered the Windows botnet. Microsoft Threat Intelligence reckons a new Qakbot phishing campaign is active as of December ...
11 months ago Theregister.com
Microsoft Quick Assist Tool Abused for Ransomware Delivery - Cybercriminals who have been using the Black Basta ransomware have been observed abusing the remote management tool Quick Assist in vishing attacks, Microsoft reports. Active since 2022 and believed to have hit over 500 organizations globally, Black ...
6 months ago Packetstormsecurity.com
Windows Quick Assist abused in Black Basta ransomware attacks - Financially motivated cybercriminals abuse the Windows Quick Assist feature in social engineering attacks to deploy Black Basta ransomware payloads on victims' networks. Microsoft has been investigating this campaign since at least mid-April 2024, ...
6 months ago Bleepingcomputer.com
PikaBot Attacking Windows Machine via Malicious Search Ads - This nefarious stratagem has set its sights on businesses, executing a sophisticated dance that sidesteps conventional security fortifications. At the forefront of this digital onslaught is the insidious PikaBot, a malware variant that ingeniously ...
11 months ago Cybersecuritynews.com
Hyundai Motor Europe hit by Black Basta ransomware attack - Car maker Hyundai Motor Europe suffered a Black Basta ransomware attack, with the threat actors claiming to have stolen three terabytes of corporate data. BleepingComputer first learned of the attack in early January, but when we contacted Hyundai, ...
9 months ago Bleepingcomputer.com
Toronto Public Library outages caused by Black Basta ransomware attack - The Toronto Public Library is experiencing ongoing technical outages due to a Black Basta ransomware attack. The Toronto Public Library is Canada's largest public library system, giving access to 12 million books through 100 branch libraries across ...
11 months ago Bleepingcomputer.com
Microsoft fixes Windows zero-day exploited in QakBot malware attacks - Microsoft has fixed a zero-day vulnerability exploited in attacks to deliver QakBot and other malware payloads on vulnerable Windows systems. Tracked as CVE-2024-30051, this privilege escalation bug is caused by a heap-based buffer overflow in the ...
6 months ago Bleepingcomputer.com
Hackers Using Weaponized PDF Files to Deliver Qakbot Malware - Qakbot is a sophisticated banking trojan and malware that primarily targets financial institutions. This sophisticated malware steals sensitive information such as:-. Not only that, even Microsoft has found small-scale phishing targeting the ...
10 months ago Gbhackers.com
Black Basta ransomware Received Over $100 million from Victims - Black Basta, the fourth-most active ransomware strain with more than 329 victims, has reportedly made over $100 million in ransom payments. This ransomware has also been discovered to resemble the Conti ransomware group, which stopped its operations ...
11 months ago Cybersecuritynews.com
Qakbot returns in fresh assault on hospitality sector - The Qakbot botnet has been disrupted this summer, but cybercriminals are not ready to give up on the malware: Microsoft's threat analysts have spotted a new phishing campaign attempting to deliver it to targets in the hospitality industry. Qakbot, ...
11 months ago Helpnetsecurity.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)