Tuesday, July 23, 2024

Water Curupira Hackers Launch Pikabot Malware Attack on Windows Machine

Pikabot is a loader malware that is active in spam campaigns and has been used by the threat group Water Curupira, which has been paused from June to September 2023 after Qakbot’s takedown. 

However, the surge in Pikabot phishing campaigns was noted recently in Q4 2023, post-Qakbot’s takedown, suggesting it is a potential replacement.

Recently, the cybersecurity researchers at Trend Micro discovered that Water Curupira hackers have been actively launching Pikabot Malware attacks on Windows machines.

Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Water Curupira Hackers Pikabot Malware

The phishing operations of Pikabot deploy the following two key things for unauthorized remote access:-

  • Loader
  • Core module

Water Curupira, which is known for Cobalt Strike backdoors, has shifted exclusively to Pikabot post-DarkGate and IcedID campaigns in Q3 2023. 

The Pikabot malware gains initial access via spam emails, mirroring Qakbot’s behavior.

Infection chain
Infection chain (Source – Trend Micro)

Threat actors use thread-hijacking in emails to mimic legitimate threads for deception. They craft messages with original content in which they urge recipients to open the following types of attachments, with varying file names and passwords:-

  • Password-protected ZIP
  • Password-protected PDF 

All the emails appear authentic, increasing the likelihood of victims interacting with malicious links or attachments.

The attached archive holds an obfuscated JS file that is more than 100 KB in size, when executed it attempts conditional commands via cmd.exe. 

If it is unsuccessful, the script echoes, pings, and downloads the Pikabot payload using Curl.exe. Another chain deploys password-protected archives with an IMG file that executes the LNK file, which triggers the rundll32.exe to run Pikabot DLL. 

The PDF-based attack in Q4 2023 tricks victims with OneDrive disguise, delivering malicious JS files. The latter variant employs array manipulation and obfuscation for Pikabot payload retrieval using the following things:-

  • Multiple URLs
  • Dynamic directory creation
Malicious PDF file disguised to look like a OneDrive attachment
Malicious PDF file disguised to look like a OneDrive attachment (Source – Trend Micro)

Security analysis of the DLL file reveals a 32-bit sample with 1515 exports. The ‘Limit’ export decrypts and executes shellcode, which checks for debugging with Windows API calls. 

The shellcode decrypts another DLL for anti-analysis routines and loads encrypted PNG images containing the core module. The Pikabot injects the core module into a suspended process using indirect system calls and resolves necessary APIs through hash values after decryption. 

While the runtime decryption of strings and language checks are performed before execution stops for specific system languages like:-

  • Russian (Russia)
  • Ukrainian (Ukraine)

Here below, we have mentioned all the processes created by the malware to gather additional information:-

  • whoami.exe /all
  • ipconfig.exe /all
  • netstat.exe -aon

Water Curupira shifts to Pikabot by dropping backdoors like Cobalt Strike, which is linked to Black Basta ransomware. 

The clusters of Cobalt Strike beacons and more than 70 C&C domains that are observed in campaigns by this threat actor show the association with dangerous ransomware, Black Basta.


Here below we have mentioned all the recommendations:-

  • Make sure to hover over links to check their destination.
  • Always verify the sender’s identity.
  • Confirm the legitimacy of emails from known companies before opening attachments.
  • Always keep the OS and software updated with the latest updates or patches.
  • Back up crucial data regularly to an external and secure location.


IoCs (Source - Trend Micro)
IoCs (Source – Trend Micro)
IoCs-1 (Source - Trend Micro)
IoCs-1 (Source – Trend Micro)
IoCs-2 (Source – Trend Micro)
IoCs-3 (Source - Trend Micro)
IoCs-3 (Source – Trend Micro)

Try Kelltron’s cost-effective for free to assess and evaluate the security posture of digital systems


Latest articles

Beware Of Dating Apps Exposing Your Personal And Location Details To Cyber Criminals

Threat actors often attack dating apps to steal personal data, including sensitive data and...

Hackers Abusing Google Cloud For Phishing

Threat actors often attack cloud services for several illicit purposes. Google Cloud is targeted...

Two Russian Nationals Charged for Cyber Attacks against U.S. Critical Infrastructure

The United States has designated Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, two members...

Threat Actors Taking Advantage of CrowdStrike BSOD Bug to Deliver Malware

Threat actors have been found exploiting a recently discovered bug in CrowdStrike's software that...

NCA Shut’s Down the Most Popular “digitalstress” DDoS-for-hire Service

The National Crime Agency (NCA) has successfully infiltrated and dismantled one of the most...

Play Ransomware’s Linux Variant Attacking VMware ESXi Servers

A new Linux variant of Play ransomware targets VMware ESXi environments, which encrypts virtual...

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles