Table of Contents
March 7, 2024
|4m
What is PureCrypter Malware? How Does PureCrypter Malware Work?
Multiple government organizations are getting targeted by PureCrypter malware downloader, which further downloads ransomware and info stealers and collects sensitive information from organizations. Researchers have observed a large threat campaign distributed via Discord.
We will discuss in detail what is PureCrypter Malware and how does PureCrypter Malware work in this post.
What is PureCrypter Malware? How Does PureCrypter Malware Work?
PureCrypter malware has been around since 2021 and has been developed using the moniker “PureCoder.” It provides multiple features, including persistence, fake messaging, injection types, etc.
PureCrypter campaigns use compromised websites of the non-profitable organization to deliver the secondary payload by making it a command-and-control center. The PureCrypter Malware campaign deploys several types of malware, including AgentTesla, Redline Stealer, Arkei, Eternity, Blackmoon, AsyncRAT, etc.
The attack chains are as follows:
Infection Chain, Credits: Minlo
As per the investigation done by Minlo researchers, it was observed Agent Tesla established an FTP connection where the stolen victim credentials were stored. Agent tesla is a very famous .NET malware that has been used in the wild for more than 8 years. This secondary malware is found as a password-protected file in a compromised non-profit website whose credentials were found online.
These similar secondary malware files were also observed in phishing emails as well. The FTP server was also found to be a part of a campaign involving One note.
Technical Details
In the recent campaign, the payload was hosted in the Discord app, and a URL pointing to a password-protected ZIP archive containing a PureCrypter sample was sent via email.
Steps taken by the attacker to deliver the payload are:
The Discord App URL pointing to the payload was sent via email.
The ZIP file contains a .net loader that carries the PureCrypter sample.
The loader downloads the secondary payload from a compromised website.
The secondary payload observed by the researchers in this scenario was Agent Tesla which was communicating to an FTP server hosted in Pakistan.
The downloaded binary has the capacity to evade initial detection using encryption using the DES algorithm.
Agent tesla uses the technique of process hollowing to inject the payload into cvtres.exe. Process hollowing is a method of executing arbitrary code in the address space of a separate live process [MITRE]
Agent Tesla will encrypt the config file using the XOR algorithm. When the file was decrypted, it was observed that the CnC details of the FTP server where the compromised victim data is stored.
Please read the comprehensive technical details here.
MITRE ATT&CK Identifier
Here you see the MITRE ATT&CK identifiers:
T1021.005 (VNC)
T1027 (Obfuscated Files or Information)
T1036.005 (Match Legitimate Name or Location)
T1055.001 (Dynamic-link Library Injection)
T1056.004 (Credential API Hooking)
T1083 (File and Directory Discovery)
T1105 (Ingress Tool Transfer)
T1119 (Automated Collection)
T1137.001 (Office Template Macros)
T1140 (Deobfuscate/Decode Files or Information)
T1204.002 (Malicious File)
T1547.001 (Registry Run Keys / Startup Folder)
T1555.003 (Credentials from Web Browsers)
T1566 (Phishing)
T1566.001 (Spearphishing Attachment)
T1566.002 (Spearphishing Link)
IOC
FTP
“ftp://ftp[.]mgcpakistan[.]com/”
Username: “ddd@mgcpakistan[.]com”
HTTP
cents-ability.org
be18d4fc15b51daedc3165112dad779e17389793fe0515d62bbcf00def2c3c2d
5732b89d931b84467ac9f149b2d60f3aee679a5f6472d6b4701202ab2cd80e99
Malware
a7c006a79a6ded6b1cb39a71183123dcaaaa21ea2684a8f199f27e16fcb30e8e
5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d
f950d207d33507345beeb3605c4e0adfa6b274e67f59db10bd08b91c96e8f5ad
397b94a80b17e7fbf78585532874aba349f194f84f723bd4adc79542d90efed3
7a5b8b448e7d4fa5edc94dcb66b1493adad87b62291be4ddcbd61fb4f25346a8
efc0b3bfcec19ef704697bf0c4fd4f1cfb091dbfee9c7bf456fac02bcffcfedf
C846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331
Imphash shared by 106 FTP files:
F34d5f2d4577ed6d9ceec516c1f5a744 (86 files)
61259b55b8912888e90f516ca08dc514 (10 files)
Conclusion
Attackers are creative enough to bring new technology and methods to exploit and collect sensitive information. Still, the initial access into a network is done by the same old methods as malicious mail or malicious URL. In the end, it is all about the use of being aware of all these potential threats and acting accordingly.
I hope this article gave you more insight into what is PureCrypter Malware and How does PureCrypter Malware work. Please share this post and help secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
You may also like these articles:
Aroma Rose Reji
Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.
