Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign [Wednesday, January 10, 2024]

Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign - Pikabot is a type of loader malware that was actively used in spam campaigns by a threat actor we track under the Intrusion set Water Curupira in the first quarter of 2023, followed by a break at the end of June that lasted until the st
Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign [Wednesday, January 10, 2024]
Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign
Report

Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign

Description :
Pikabot is a type of loader malware that was actively used in spam campaigns by a threat actor we track under the Intrusion set Water Curupira in the first quarter of 2023, followed by a break at the end of June that lasted until the start of September 2023. Other researchers have previously noted its strong similarities to Qakbot, the latter of which was taken down by law enforcement in August 2023. An increase in the number of phishing campaigns related to Pikabot was recorded in the last quarter of 2023, coinciding with the takedown of Qakbot — hinting at the possibility that Pikabot might be a replacement for the latter (with DarkGate being another temporary replacement in the wake of the takedown).

Published Created Modified
2024-01-10 09:37:57 2024-01-10 09:37:57 2024-01-10 09:54:36

Tags

Indicators

IPv4s :
  • 15.235.47.206
  • 51.79.143.215
  • 210.243.8.247
  • 64.176.67.194
  • 139.180.216.25
  • 188.34.192.184
  • 15.235.45.155
  • 15.235.44.231
  • 15.235.202.109
  • 154.61.75.156
  • 172.233.156.100
  • 15.235.47.80
  • 64.176.5.228
  • 51.68.147.114
  • 158.247.253.155
  • 154.92.19.139
  • 65.20.78.68
  • 154.221.30.136
  • 137.220.55.190
  • 188.26.127.4
  • 51.195.232.97
  • 70.34.209.101
URLs :
  • http://15.235.202.109:2226
  • https://brouweres.com:443/vvs49/0.6515179055030298.dat
  • https://lsn.edu.dz/pqis/?aWDzZBatBsyv
  • http://158.247.253.155:2225
  • http://172.233.156.100:13721
  • https://brouweres.com:443/vvs49/0.15313287608559223.dat
  • http://15.235.45.155:2221
  • http://15.235.44.231:5938
  • http://15.235.47.80:23399
  • http://51.195.232.97:13782
  • http://210.243.8.247:23399
  • http://139.180.216.25:2967
  • http://65.20.78.68:13721
  • https://sindicaturadetecate.gob.mx/pe/?IDbHJCMofpEIzDQjrcwNcDqHoiQRnSKZQcA
  • http://188.34.192.184/76DKN6/Wheez
  • http://64.176.5.228:13783
  • http://154.92.19.139:2222
  • http://70.34.209.101:13720
  • https://brouweres.com:443/vvs49/0.8450027286577588.dat
  • http://154.221.30.136:13724
  • http://51.68.147.114:2083
  • http://15.235.47.206:13783
  • http://64.176.67.194:2967
  • https://brouweres.com:443/vvs49/0.9900618798908114.dat
  • http://51.79.143.215:13783
  • http://137.220.55.190:2223
  • http://154.61.75.156:2078
  • http://188.26.127.4:13785
Domains :
  • mynewbee.net
  • animalsfast.net
  • lindacolor.com
  • blocknowtech.net
  • maluisepaul.com
  • magementfair.com
  • bluenetworking.net
  • auuditoe.com
  • steamteamdev.net
  • gift4animals.com
  • businesforhome.com
  • clearsystemwo.net
  • monitor-websystem.net
  • gartenlofti.com
  • unitedfrom.com
  • septcntr.com
  • ruggioil.com
  • wardeli.com
  • startupbizaud.net
  • karmafisker.com
  • caspercan.com
  • treeauwin.net
  • startuptechnologyw.net
  • withclier.com
  • masterunix.net
  • investmendvisor.net
  • constrtionfirst.com
  • realeinvestment.net
  • investmentrealtyhp.net
  • settingfir.com
  • blockcentersys.net
  • stockinvestlab.net
  • taskthebox.net
  • conectmeto.net
  • buyadvisershop.net
  • sandelias.com
  • allcompanycenter.com
  • cloudwebstart.net
  • garbagemoval.com
  • monitorsystem.net
  • cloudworldst.net
  • building4business.net
  • wellsystemte.net
  • trailgroupl.net
  • getfnewsolutions.com
  • reelsysmoona.net
  • prettyanimals.net
  • unougn.com
  • brendonline.com
  • buzzybeet.net
  • erihudeg.com
  • brouweres.com
  • neobeelab.net
  • seohomee.com
  • nutiensel.com
  • startupbusiness24.net
  • mytrailinvest.net
  • welausystem.net
  • investsystemus.net
  • conitreid.com
  • masterunis.net
  • reganter.com
  • softradar.net
  • getfnewssolutions.com
  • gertefin.com
  • airbusco.net
  • jessvisser.com
  • schumacherbar.com
  • kolinileas.com
  • audsystemecll.net
  • ionoslaba.com
Hashes :
  • 1dd66462bd11d65247fff82ae81358c9e1b5e1024a953478b8a5de8f5fc5443a
  • 980e2dccc3b83bab32b13f82091f37a2ffcf302c7fb7e87532c7c618f68c0753
  • 2dad1218d4950ba3a84cfce17af2d8d4ece92f623338d49b357ec9d973ecf8a8
  • eead7f5b6f1282ad988238cc8c39292fa99ea416f7793038a20e5caabe93112a
  • 4c267d4f7155d7f0686d1ac2ea861eaa926fd41a9d71e8f6952caf24492b376b
  • 7e85b9d1d09301d8b3f48df44159347d89cb3c798d0436b5e9b060df4072b8c7
  • 2c49ff53d0cf0ea36f34148598b8eacca12a1a654bfc09c4e00d6b60a8ad57fe
  • ea63ac688aec3ab8920d83617f214922c16aedee341edbe3a18469179555fb21
  • 7094f89bf955dfbdcc4de8943af2328aa7475c2fb6af305c76a6df73aff8b1c3
  • 6f9b2fdac415c7eb7fcc31c5ff9aac7e6347ddf4747985b7bac4f76a6f9da193
  • ed4bba5e886871527fa56beb280f222ef0fde97686db00a74ee02c1a44a0094d
  • b436380d62babc42fa6b3adc592e1b6b0bd05c5cb1b0c08aa5c55eae738729e7
  • fbd63777f81cebd7a9f2f1c7f2a8982499fe4d18b9f4aa4e7ed589ceefac47de
  • 07279c93f0532a4f5bc4617ab3cb30b7c336f71f587e934a5a0e35ce88fbf632
  • 8514b9d2fe185989d996a2669788910405af5e8fd7102ab3decdd4d727af35df
  • 8045ea8720b66291e3c00f6fd1925de11241410421851b7cabe4a707875a1004
  • 29a12bf2f2ff68027ae042a24f1c1285c6bc4b7a495d3d2a8f565ef67141eca8
  • 33e03a536f869dee3ffa0b1bc8c885f77c50d0a7974b6e9b4041a5a254255c34
  • 46e0fe3a942bb1f9aa9cd1b460ca7efa9acddb3c5b2d2bc3b42a87d8463f1c66
  • 6e18eb1884d2a1a20a0d6a4dcdaf1b7ab342271b2de0d0327848f37eb45e785e
  • 6c13985e067cfad583bb1f5751821e649a61a41171a5f95ee9dfd254c04f71a8
  • 3b13380f7dfd615707887f3e8904f432aacdbb111822dd596a44366cb5526624
  • 1d365a8a2e72a81a6ffbc6c0c32b28e580872e57df184c270b4fa47ac8b8bf2b
  • 7808be7f2b92c775f6ef047ffc857d8731e75bf486a45fec1c4d199b43c5a6c2
  • 79b1ac4dc5cae6d03548c2ab570e98f9cfb7e4da24480ce3d513b1abdd13bf21
  • 1a12028a0e0ecc32160e5372a45d95e3045421906f2c807b7c4c8f4a85d47469
MITRE ATT&CK Techniques :

External References

You can download the txt file containing the indicators by clicking on the button below:

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.