Reports have revealed that an unknown threat actor has been relentlessly targetting the Asia-Pacific and North American government agencies with a malware downloader called PureCrypter. Incident reports indicated that this Malware is entirely different from what has been previously encountered and could be capable of doing more damage. PureCrypter Malware has also been reported to have a tremendous ability to deliver an array of other stealers and ransomware malware.
Although the offer wasn’t long, according to the first documentation in June 2022, PureCrypter was listed for sale at $59 monthly and a discounted one-time life purchase at $245, updated along with the Malware’s functionality.
In December 2022, the actor expanded the offer to scale beyond the ability to distribute Malware by including PureLogs, an information stealer to extract data from crypto wallets, email clients, and web browsers at the rate of a $99 yearly subscription. According to Menlo Security researcher Abhay Yadav, the PureCrypter campaign maximizes the use of a compromised non-profit organization as a command and control (c2) in delivering a secondary payload.
A more detailed explanation by Menlo Security revealed the Malware’s sequential mode of operation. On reviewing a phishing email containing a Discord URL pointing to the initial stage of the malware attack, A password-protected ZIP archive containing the correct details and configuration for loading the PureCrypter Malware. The second stage involved the Malware beeping to a compromised domain of a non-profit entity to extract what was called Agent Tesla and a secondary .NET-based keylogger payload aiding the final stage of the attack.
The final stage of the malware attack involves creating a backdoor connection to an FTP server to extract data whose location was traced to Pakistan. Security agencies are currently researching to prevent further damage.
