Rewterz Threat Advisory – Multiple TP-LINK Products Vulnerabilities
January 11, 2024Rewterz Threat Update – Cisco Releases Patch for Critical Unity Connection Software Vulnerability
January 11, 2024Rewterz Threat Advisory – Multiple TP-LINK Products Vulnerabilities
January 11, 2024Rewterz Threat Update – Cisco Releases Patch for Critical Unity Connection Software Vulnerability
January 11, 2024Severity
High
Analysis Summary
Spam campaigns that started in 2023 by a threat actor named Water Curupira have been seen actively spreading the PikaBot loader malware. The malicious activity began at the start of 2023 and ended at the end of June, after which it started again in September.
The operators of PikaBot carried out phishing campaigns that targeted users using two of its main components; a loader and a core module. This enables unauthorized remote access and executes arbitrary commands via a connection established with their C2 server. It overlaps with previous campaigns that used similar tactics to propagate QakBot. It is widely believed that the takedown of QakBot is what increased phishing campaigns that are related to PikaBot.
PikaBot’s main purpose serves as a loader that is made to launch another payload, such as Cobalt Strike which is a legitimate post-exploitation toolkit acting as a precursor for deploying ransomware. Researchers note that the attack chain starts with a technique called email threat hijacking in which existing email threads are used to trick the victims into opening malicious attachments or links, which activates the malware execution stage.
The ZIP archive contains IMG files or JavaScript and is used as a launchpad for PikaBot. The malware performs a check for the system’s language and stops execution if it’s either Ukrainian or Russian. The next step involves harvesting information regarding the compromised system and sending it to a C2 server in JSON format.
The purpose of Water Curupira’s campaigns is to drop the Cobalt Strike, finally resulting in the deployment of the Black Basta ransomware. The threat actor was observed in various DarkGate spam campaigns and some IcedID campaigns at the start of the third quarter of 2023, but has now been using PikaBot exclusively.
Impact
- Unauthorized Access
- Information Theft
Indicators of Compromise
MD5
- 1b8361e2f1b058a9791047dce0df57c4
- a2090749675827cd029c5564ee9816b1
- dcd03d771e347e34ccde8e5be5bdda78
- 8a69cbede14352596b97d5dd57dbeed6
- 7c3773311edb63631225bb03ff318714
- bcd23166402f089f7e82853b0300a7ca
- dbd149a8381ab23536202fd6ff06ed85
- 905cab370e0422d96da8aa51b023b4be
- 5ea07b4293ad10317cb27ca2de5f68b4
- 1e26ae07589794225c37134a7cd9d3fd
- 6f206f8bd2edf6127c665728ca66d77d
- 83a2653afd8537c46ea7e5256532d305
- fb2729cb59a5bc0420425ea693d26190
- 527774acc9e68d3274e0806873b5c88d
SHA-256
- 4c267d4f7155d7f0686d1ac2ea861eaa926fd41a9d71e8f6952caf24492b376b
- fbd63777f81cebd7a9f2f1c7f2a8982499fe4d18b9f4aa4e7ed589ceefac47de
- 6f9b2fdac415c7eb7fcc31c5ff9aac7e6347ddf4747985b7bac4f76a6f9da193
- 3b13380f7dfd615707887f3e8904f432aacdbb111822dd596a44366cb5526624
- 1dd66462bd11d65247fff82ae81358c9e1b5e1024a953478b8a5de8f5fc5443a
- 07279c93f0532a4f5bc4617ab3cb30b7c336f71f587e934a5a0e35ce88fbf632
- 2dad1218d4950ba3a84cfce17af2d8d4ece92f623338d49b357ec9d973ecf8a8
- 1a12028a0e0ecc32160e5372a45d95e3045421906f2c807b7c4c8f4a85d47469
- 7094f89bf955dfbdcc4de8943af2328aa7475c2fb6af305c76a6df73aff8b1c3
- 2c49ff53d0cf0ea36f34148598b8eacca12a1a654bfc09c4e00d6b60a8ad57fe
- 8514b9d2fe185989d996a2669788910405af5e8fd7102ab3decdd4d727af35df
- 79b1ac4dc5cae6d03548c2ab570e98f9cfb7e4da24480ce3d513b1abdd13bf21
- 7e85b9d1d09301d8b3f48df44159347d89cb3c798d0436b5e9b060df4072b8c7
- 46e0fe3a942bb1f9aa9cd1b460ca7efa9acddb3c5b2d2bc3b42a87d8463f1c66
SHA-1
- 3cd3750507971e8f9eef55249e5b2646855652c6
- 66153c61804457797a5dcbb62cf413109ce21cac
- 6d0f9be4ca3d1262fde3c6e185753cb41858f5de
- 457acffaed6586e5e391f6d74238808a5a718649
- dbf14b1eee8908137c75fc41f53fa7f2713f936d
- 21cf7b20454f18a6b676620d626c0c5358d11683
- dffd520c04bf2b1f87aef81e1514267a733c24d1
- 3f380fd41bbd1118e4452532487ed3d2c5cf1c7c
- 82cefca402664fc2b7fec7565d77af0a650da2e8
- b20ad80d950b0954c17e8cc2cd0a1925edf0e6e6
- fbddcd3b38f2658f38bf3c28773ecc79692f63a0
- 43ce1d0a7189994c253c3d0004f383d0d15fcd78
- a94c4cb94baa8985a38202e8d654119dbaf1580a
- 8abe153f385a93bd0ff5097297455d36be2fca10
URL
- https://sindicaturadetecate.gob.mx/pe/?IDbHJCMofpEIzDQjrcwNcDqHoiQRnSKZQcA
- https://lsn.edu.dz/pqis/?aWDzZBatBsyv
- http://188.34.192.184/76DKN6/Wheez
- https://brouweres.com/vvs49/0.6515179055030298.dat
- https://brouweres.com/vvs49/0.8450027286577588.dat
- https://brouweres.com/vvs49/0.15313287608559223.dat
- https://brouweres.com/vvs49/0.9900618798908114.dat
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Patch and upgrade any platforms and software on time and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.