1. Home
  2. Campaigns
  3. Water Curupira Pikabot Distribution

Water Curupira Pikabot Distribution

Pikabot was distributed in Water Curupira Pikabot Distribution throughout 2023 by an entity linked to BlackBasta ransomware deployment via email attachments. This activity followed the take-down of QakBot, with several technical overlaps and similarities with QakBot, indicating a possible connection. The identified activity led to the deployment of tools such as Cobalt Strike, while coinciding with campaigns delivering DarkGate and IcedID en route to ransomware deployment.[1]

ID: C0037
First Seen:  January 2023 [1]
Last Seen:  December 2023 [1]
Contributors: Inna Danilevich, U.S. Bank
Version: 1.0
Created: 17 July 2024
Last Modified: 28 October 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1140 反混淆/解码文件或信息

Water Curupira Pikabot Distribution used highly obfuscated JavaScript files as one initial installer for Pikabot.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Water Curupira Pikabot Distribution installation via JavaScript will launch follow-on commands via cmd.exe.[1]
.007 命令与脚本解释器: JavaScript

Water Curupira Pikabot Distribution initial delivery included obfuscated JavaScript objects stored in password-protected ZIP archives.[1]
Enterprise T1589 .002 收集受害者身份信息: Email Addresses

Water Curupira Pikabot Distribution utilizes thread spoofing of existing email threads in order to execute spear phishing operations.[1]
Enterprise T1204 用户执行

Water Curupira Pikabot Distribution requires users to interact with malicious attachments in order to start Pikabot installation.[1]
.001 Malicious Link

Water Curupira Pikabot Distribution distributed a PDF attachment containing a malicious link to a Pikabot installer.[1]
.002 Malicious File

Water Curupira Pikabot Distribution delivered Pikabot installers as password-protected ZIP files containing heavily obfuscated JavaScript, or IMG files containing an LNK mimicking a Word document and a malicious DLL.[1]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

Water Curupira Pikabot Distribution utilizes rundll32.exe to execute the final Pikabot payload, using the named exports Crash or Limit depending on the variant.[1]
Enterprise T1105 输入工具传输

Water Curupira Pikabot Distribution used Curl.exe to download the Pikabot payload from an external server, saving the file to the victim machine's temporary directory.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Water Curupira Pikabot Distribution attached password-protected ZIP archives to deliver Pikabot installers.[1]

Software

ID Name Description
S1111 DarkGate

Water Curupira Pikabot Distribution activity included distribution of DarkGate en route to ransomware execution.[1]
S0483 IcedID

Water Curupira Pikabot Distribution included distribution of IcedID en route to ransomware deployment.[1]
S1145 Pikabot

Water Curupira Pikabot Distribution distributed Pikabot as an initial access mechanism.[1]

References

  1. Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024.