A threat actor, who remains unidentified, is using PureCrypter, an off-the-shelf malware downloader, to target government entities in Asia-Pacific and North America with information-stealing and ransomware programs. Abhay Yadav, a researcher at Menlo Security, explains that the PureCrypter campaign delivers a secondary payload through a command-and-control (C2) domain that was compromised from a non-profit organization. PureCrypter is responsible for propagating various types of malware such as RedLine Stealer, Agent Tesla, Eternity, Blackmoon (aka KRBanker), and Philadelphia ransomware.
In December 2022, PureCoder, the developer of the program, added PureLogs to its offerings. PureLogs is a logger and information stealer that extracts data from web browsers, crypto wallets, and email clients. The subscription fee for PureLogs is $99 per year or $199 for lifetime access.
According to Menlo Security, the infection process starts with a phishing email that contains a Discord URL. This URL directs users to a password-protected ZIP archive, which loads the PureCrypter malware. The loader then contacts the website of the breached non-profit organization to obtain the secondary payload, Agent Tesla, a . NET-based keylogger. The backdoor establishes a connection to an FTP server in Pakistan to transmit the stolen data. This indicates that the attacker may have used compromised credentials.
Story credit
