Experts attribute this activity to the termination of QakBot in August.
Trend Micro has recorded an active distribution of the PikaBot malware by the Water Curupira group. Operations began in the first quarter of 2023 and continued until the end of June, before resuming in September.
PikaBot, used in phishing campaigns, consists of two components: the loader and the main module. This structure allows unauthorized remote access and execution of arbitrary commands via a connection to the management server with a lower risk of detection.
The activities of the Water Curupira group overlap with previous campaigns using similar tactics to deliver QakBot, carried out by the TA571 and TA577 groups. The increased activity of PikaBot is associated with the elimination of QakBot in August, as well as with the appearance of the DarkGate malware.
PikaBot, which primarily acts as a boot loader, runs other malicious programs, including the post-exploitation tool Cobalt Strike, which is often used before the direct deployment of ransomware.
PikaBot's distribution tactics are painfully simple and familiar: hackers integrate malicious email attachments, and downloading and running them infects your computer with malware.
It is noteworthy that before starting the infection chain, the boot loader checks the language of the Windows operating system and interrupts execution if it detects Russian or Ukrainian languages. This suggests some thoughts about the possible origin of the Water Curupira grouping.
If the computer can be attacked, PikaBot collects detailed information about the victim's system and sends it to the management server in JSON format. The purpose of Water Curupira malware campaigns is to deploy Cobalt Strike, which often leads to the subsequent launch of Black Basta ransomware.
In addition, Trend Micro notes that Water Curupira conducted a number of campaigns using DarkGate and a small number of IcedID campaigns at the beginning of the third quarter of 2023, after which the group completely switched to using PikaBot.
Trend Micro has recorded an active distribution of the PikaBot malware by the Water Curupira group. Operations began in the first quarter of 2023 and continued until the end of June, before resuming in September.
PikaBot, used in phishing campaigns, consists of two components: the loader and the main module. This structure allows unauthorized remote access and execution of arbitrary commands via a connection to the management server with a lower risk of detection.
The activities of the Water Curupira group overlap with previous campaigns using similar tactics to deliver QakBot, carried out by the TA571 and TA577 groups. The increased activity of PikaBot is associated with the elimination of QakBot in August, as well as with the appearance of the DarkGate malware.
PikaBot, which primarily acts as a boot loader, runs other malicious programs, including the post-exploitation tool Cobalt Strike, which is often used before the direct deployment of ransomware.
PikaBot's distribution tactics are painfully simple and familiar: hackers integrate malicious email attachments, and downloading and running them infects your computer with malware.
It is noteworthy that before starting the infection chain, the boot loader checks the language of the Windows operating system and interrupts execution if it detects Russian or Ukrainian languages. This suggests some thoughts about the possible origin of the Water Curupira grouping.
If the computer can be attacked, PikaBot collects detailed information about the victim's system and sends it to the management server in JSON format. The purpose of Water Curupira malware campaigns is to deploy Cobalt Strike, which often leads to the subsequent launch of Black Basta ransomware.
In addition, Trend Micro notes that Water Curupira conducted a number of campaigns using DarkGate and a small number of IcedID campaigns at the beginning of the third quarter of 2023, after which the group completely switched to using PikaBot.
