A threat actor called Water Curupira has been observed actively distributing the PikaBot loader malware as part of spam campaigns in 2023.
"PikaBot's operators ran phishing campaigns, targeting victims via its two components — a loader and a core module — which enabled unauthorized remote access and allowed the execution of arbitrary commands through an established connection with their command-and-control (C&C) server," Trend Micro said in a report published today.
The activity began in the first quarter of 2023 that lasted till the end of June, before ramping up again in September. It also overlaps with prior campaigns that have used similar tactics to deliver QakBot, specifically those orchestrated by cybercrime groups known as TA571 and TA577.
It's believed that the increase in the number of phishing campaigns related to PikaBot is the result of QakBot's takedown in August, with DarkGate emerging as another replacement.
PikaBot is primarily a loader, which means it's designed to launch another payload, including Cobalt Strike, a legitimate post-exploitation toolkit that typically acts as a precursor for ransomware deployment.
The attack chains leverage a technique called email thread hijacking, employing existing email threads to trick recipients into opening malicious links or attachments, effectively activating the malware execution sequence.
The ZIP archive attachments, which either contain JavaScript or IMG files, are used as a launchpad for PikaBot. The malware, for its part, checks the system's language and halts execution should it be either Russian or Ukrainian.
In the next step, it collects details about the victim's system and forwards them to a C&C server in JSON format. Water Curupira's campaigns are for the purpose of dropping Cobalt Strike, which subsequently lead to the deployment of Black Basta ransomware.
"The threat actor also conducted several DarkGate spam campaigns and a small number of IcedID campaigns during the early weeks of the third quarter of 2023, but has since pivoted exclusively to PikaBot," Trend Micro said.
Update
When reached for comment, Proofpoint told The Hacker News that Water Curupira overlaps with activity it tracks under the name TA577.
"TA577 is one of the most sophisticated e-crime threat actors [...] and historically was one of the main distributors of QBot malware," Selena Larson, senior threat intelligence analyst at Proofpoint, said.
"After the QBot disruption announced in August, TA577 was inactive for slightly longer than its normal summer break, but then returned to the threat landscape at the end of September to conduct high-volume campaigns delivering a mix of DarkGate and PikaBot before appearing to settle on PikaBot as its preferred payload. We have not observed TA571 delivering PikaBot."