PureCrypter

A group of cybercriminals has been attacking government entities in the Asia-Pacific (APAC) and North American regions with a malware downloader called PureCrypter. The cybercriminals behind the attack were able to infiltrate these organizations' systems and collect sensitive information or, in some cases, hold their system hostage through the use of ransomware. The severity of the attack is compounded by the fact that these government entities often store sensitive and classified information, making them prime targets for cybercriminals.

Security researchers found out that the threat actors exploited Discord to host the initial payload and also compromised a non-profit organization as a way to garner additional hosts used in the campaign. This means that the attackers used a legitimate platform like Discord to distribute the initial payload of the malware, making it difficult for security systems to detect and block it. The malware is known for delivering several different malware strains, including the Redline Stealer, AgentTesla, Eternity, Blackmoon and the Philadelphia Ransomware.

PureCrypter is Part of a Multi-Stage Attack Chain

The attack that utilizes the PureCrypter malware downloader is initiated with an email that contains a Discord application URL. This URL leads to a PureCrypter sample that is contained within a password-protected ZIP archive. PureCrypter is a malware downloader that operates on .NET-based systems. Its operator rents it to other cybercriminals for the purpose of distributing various types of malware. Once the PureCrypter is executed, it fetches and delivers the next-stage payload from a Command-and-Control (C2, C&C) server. In this specific case, the Command and Control server used by the threat actors was the compromised server of a non-profit organization.

The sample analyzed by the researchers was AgentTesla, a type of malware that collects information from the victim's computer. Once launched, AgentTesla establishes a connection to a Pakistan-based FTP server to send the collected data. What's interesting is that the threat actors didn't set up their own FTP server but rather used leaked credentials to take control of an existing one. By using an already compromised server, they reduce the risks of being identified and minimize their trace.

AgentTesla Remains A Threatening Cybercriminal Tool

AgentTesla is a type of .NET malware that has been used by cybercriminals for the past eight years, with its usage peaking in late 2020 and early 2021. Despite its age, AgentTesla remains a highly-capable and cost-effective backdoor that has been continually developed and improved over the years.

One of AgentTesla's key capabilities is the ability to log the victim's keystrokes, allowing cybercriminals to capture sensitive information, such as passwords. The malware also may collect passwords that are saved in FTP clients, Web browsers or email clients. In addition, AgentTesla can capture screenshots of the victim's desktop, potentially revealing confidential information. It also may access and intercept any data that is copied to the clipboard of the system, including texts, passwords, and credit card details. Once collected, the data can be exfiltrated to the Command and Control (C2) server via FTP or SMTP.

In the PureCrypter attacks, the threat actors used a technique called "process hollowing" to inject the AgentTesla payload into a legitimate process called 'cvtres.exe.' This technique helps to evade detection from security tools.

To keep safe its communications with the C2 server and configuration files from being detected by network traffic monitoring tools, AgentTesla uses the XOR encryption. This encryption method makes it difficult for security systems to detect the malware's communication with the C2 server, making it a challenging threat to detect and mitigate.