Pikabot: malware loader distributed by the Water Curupira group

A group of hackers that is called Water Curupira was observed actively distribute the PikaBot malware loader as part of various spam campaigns in 2023.

What damage does the PikaBot malware loader do?

“PikaBot operators conducted phishing campaigns, targeting victims through its two components: a loader and a main module, which allowed unauthorized remote access and allowed the execution of arbitrary commands across a connection established with their command and control (C&C) server“, has declared Trend Micro in a report released today.

The activity began in the first quarter of 2023 and lasted until the end of June, before intensifying again in September; this campaign also overlaps to previous campaigns that used similar tactics to deploy QakBot, especially those orchestrate by two groups of cyber criminals, known as TA571 and TA577.

The increase in the number of PikaBot-related phishing campaigns is believed to be a result of the removal of QakBot in August, with DarkGate emerging as its replacement.

PikaBot is primarily a loader, which means that this malware it is designed to launch another payload, including Cobalt Strikea legitimate post-exploitation toolkit that typically acts as a precursor for ransomware distribution.

Attack chains use a technique called “email thread hijacking“, using existing email threads to trick recipients into opening malicious links or attachments, effectively triggering the malware's execution sequence.

ZIP archive attachments, which contain JavaScript or IMG files, they are used as a launch pad for PikaBot; the malware, in turn, checks the system language and stops the execution if it is in Russian or Ukrainian.

In the next step, it collects details about the victim's system and forwards them to a C&C server in JSON format; Water Curupira's campaigns aim to distribute Cobalt Strike, which subsequently leads to the distribution of the Black Basta ransomware.

“The cybercriminal group also conducted several DarkGate spam campaigns and a limited number of IcedID campaigns in the first weeks of the third quarter of 2023, but he then dedicated himself exclusively to PikaBot“Trend Micro said.

Advice on how to avoid or possibly remove this malware

To avoid and remove PikaBot malware and protect your system, you can follow these tips

To avoid infection

• Keep your software updated: Make sure you have the latest Security patches and software updates installed on your operating systembrowser and other software used.
• Be careful with attachments and linksTherefore: do not open attachments or click on links from suspicious emails or unknown senders Always verify authenticity before taking action.
• Use a robust antivirus and antimalware solution: Install a good antivirus and antimalware program and keep it updated regularly; it should be noted that Malwarebytes already in the free version has the ability to also check compressed folders (such as ZIP or RAR), and since this malware is also activated within archives it is more than perfect.
• User education: Provide user training on cybersecurity, raising their awareness of how to recognize phishing emails and suspicious behavior online.
• Firewalls and web filters: Set up a firewall and use web filters to block access to malicious websites.

To remove the infection:

• Full virus scan– Use updated antivirus software (Malwarebytes, already mentioned) to run a full scan of your system for malware and remove any detected threats.
• Specific malware removal tools: Some security companies offer specific removal tools for particular malware; Check if Trend Micro or other
  companies provide a dedicated tool for PikaBot.
• Disconnecting from the Internet: If you suspect an infection, disconnect from the Internet immediately to prevent further damage and prevent communication with the C&C server.
• Restore from a backup: If possible, restore your system from a clean backup made before infection.
• Request professional assistance: If you don't feel confident handling the situation on your own, contact a cybersecurity professional or your antivirus provider's technical support for help.

Remember that prevention is essential to avoid infections, therefore maintain good cybersecurity practices and always be vigilant of security advisories.