Water Curupira Pikabot Distribution
Pikabot was distributed in Water Curupira Pikabot Distribution throughout 2023 by an entity linked to BlackBasta ransomware deployment via email attachments. This activity followed the take-down of QakBot, with several technical overlaps and similarities with QakBot, indicating a possible connection. The identified activity led to the deployment of tools such as Cobalt Strike, while coinciding with campaigns delivering DarkGate and IcedID en route to ransomware deployment.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Water Curupira Pikabot Distribution installation via JavaScript will launch follow-on commands via cmd.exe.[1] |
| .007 | Command and Scripting Interpreter: JavaScript |
Water Curupira Pikabot Distribution initial delivery included obfuscated JavaScript objects stored in password-protected ZIP archives.[1] |
||
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Water Curupira Pikabot Distribution used highly obfuscated JavaScript files as one initial installer for Pikabot.[1] |
|
| Enterprise | T1589 | .002 | Gather Victim Identity Information: Email Addresses |
Water Curupira Pikabot Distribution utilizes thread spoofing of existing email threads in order to execute spear phishing operations.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
Water Curupira Pikabot Distribution used Curl.exe to download the Pikabot payload from an external server, saving the file to the victim machine's temporary directory.[1] |
|
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Water Curupira Pikabot Distribution attached password-protected ZIP archives to deliver Pikabot installers.[1] |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
Water Curupira Pikabot Distribution utilizes rundll32.exe to execute the final Pikabot payload, using the named exports |
| Enterprise | T1204 | User Execution |
Water Curupira Pikabot Distribution requires users to interact with malicious attachments in order to start Pikabot installation.[1] |
|
| .001 | Malicious Link |
Water Curupira Pikabot Distribution distributed a PDF attachment containing a malicious link to a Pikabot installer.[1] |
||
| .002 | Malicious File |
Water Curupira Pikabot Distribution delivered Pikabot installers as password-protected ZIP files containing heavily obfuscated JavaScript, or IMG files containing an LNK mimicking a Word document and a malicious DLL.[1] |
||
Software
| ID | Name | Description |
|---|---|---|
| S1111 | DarkGate |
Water Curupira Pikabot Distribution activity included distribution of DarkGate en route to ransomware execution.[1] |
| S0483 | IcedID |
Water Curupira Pikabot Distribution included distribution of IcedID en route to ransomware deployment.[1] |
| S1145 | Pikabot |
Water Curupira Pikabot Distribution distributed Pikabot as an initial access mechanism.[1] |