Multiple government organizations are getting targeted by PureCrypter malware downloader, which further downloads ransomware and info stealers and collects sensitive information from organizations. Researchers have observed a large threat campaign distributed via Discord.
We will discuss in detail what is PureCrypter Malware and how does PureCrypter Malware work in this post.
What is PureCrypter Malware? How Does PureCrypter Malware Work?
PureCrypter malware has been around since 2021 and has been developed using the moniker “PureCoder.” It provides multiple features, including persistence, fake messaging, injection types, etc.
PureCrypter campaigns use compromised websites of the non-profitable organization to deliver the secondary payload by making it a command-and-control center. The PureCrypter Malware campaign deploys several types of malware, including AgentTesla, Redline Stealer, Arkei, Eternity, Blackmoon, AsyncRAT, etc.
The attack chains are as follows:
As per the investigation done by Minlo researchers, it was observed Agent Tesla established an FTP connection where the stolen victim credentials were stored. Agent tesla is a very famous .NET malware that has been used in the wild for more than 8 years. This secondary malware is found as a password-protected file in a compromised non-profit website whose credentials were found online.
These similar secondary malware files were also observed in phishing emails as well. The FTP server was also found to be a part of a campaign involving One note.
In the recent campaign, the payload was hosted in the Discord app, and a URL pointing to a password-protected ZIP archive containing a PureCrypter sample was sent via email.
Steps taken by the attacker to deliver the payload are:
- The Discord App URL pointing to the payload was sent via email.
- The ZIP file contains a .net loader that carries the PureCrypter sample.
- The loader downloads the secondary payload from a compromised website.
- The secondary payload observed by the researchers in this scenario was Agent Tesla which was communicating to an FTP server hosted in Pakistan.
- The downloaded binary has the capacity to evade initial detection using encryption using the DES algorithm.
- Agent tesla uses the technique of process hollowing to inject the payload into cvtres.exe. Process hollowing is a method of executing arbitrary code in the address space of a separate live process [MITRE]
- Agent Tesla will encrypt the config file using the XOR algorithm. When the file was decrypted, it was observed that the CnC details of the FTP server where the compromised victim data is stored.
Please read the comprehensive technical details here.
MITRE ATT&CK Identifier
- T1021.005 (VNC)
- T1027 (Obfuscated Files or Information)
- T1036.005 (Match Legitimate Name or Location)
- T1055.001 (Dynamic-link Library Injection)
- T1056.004 (Credential API Hooking)
- T1083 (File and Directory Discovery)
- T1105 (Ingress Tool Transfer)
- T1119 (Automated Collection)
- T1137.001 (Office Template Macros)
- T1140 (Deobfuscate/Decode Files or Information)
- T1204.002 (Malicious File)
- T1547.001 (Registry Run Keys / Startup Folder)
- T1555.003 (Credentials from Web Browsers)
- T1566 (Phishing)
- T1566.001 (Spearphishing Attachment)
- T1566.002 (Spearphishing Link)
- Username: “ddd@mgcpakistan[.]com”
Imphash shared by 106 FTP files:
- F34d5f2d4577ed6d9ceec516c1f5a744 (86 files)
- 61259b55b8912888e90f516ca08dc514 (10 files)
Attackers are creative enough to bring new technology and methods to exploit and collect sensitive information. Still, the initial access into a network is done by the same old methods as malicious mail or malicious URL. In the end, it is all about the use of being aware of all these potential threats and acting accordingly.