PureCrypter Malware Targets Government Entities in Asia-Pacific and North America

Blog Author: Alex Babbage

Executive Summary:

An unidentified?threat actor was identified by Menlo Labs using Discord to spread an evasive threat campaign that is?targeting government institutions through the use of?the PureCrypter downloader. The attack is performed through a secondary payload being sent by the PureCrypter campaign using the compromised domain of a?non-profit business as a C2 (Command and Control) platform.?

Numerous malware strains, including Philadelphia Ransomware, Redline Stealer, AgentTesla, Eternity, and Blackmoon, were discovered to have been distributed by the campaign. 'Menlo's Cloud Security Platform restricted password-protected archive files across several government clients in the Asia-Pacific (APAC) and North American regions'. [1]

Introduction:

Threat actor PureCoder is presently working on a new malware loader called PureCrypter. The loader can distribute a wide variety of malware and is fully featured. 'It has been available for purchase on dark markets since at least March 2021'. On their website, PureCrypter is offered for sale by its creator for $59 for a month of access or $245 for a one-time lifetime purchase. [2]

In order to prevent reverse engineering, crypters are employed as the first line of defence. They are also frequently utilised to conceal dangerous payloads. Along with what PureCrypter describes as an innovative technique to inject the embedded malware into native processes, the programme also offers a number of adjustable parameters to establish persistence on startup and activate other measures to evade detection. [3]

Event explanation + Potential IOCs (Indicators of Compromise):

A phishing email containing a link to the Discord software, which houses the payload, is used to spread infection.

• The PureCrypter loader is downloaded as a result of a malicious password-protected ZIP file that is present in the file.
• After being installed, the loader sends the secondary payloads using a compromised domain as a C2 server.
• The second phase of malware delivery uses process hollowing to inject the payload into a legitimate process,to evade detection from antivirus tools, this includes malware such as Philadelphia, Redline Stealer, AgentTesla, Eternity, and Blackmoon.
• The gathered data is then exfiltrated by the backdoor through a connection, in this case, to a Pakistani FTP server.

The campaign's objective appears to be to steal from the victims a variety of sensitive data, including system information. Researchers discovered that in order to minimise their footprint and limit the danger of being identified, the threat actors exploited leaked credentials rather than setting up their own FTP server to take control of the specific host. [4]??

Why should you care?

Attacks on civil services (government and businesses) could impact a significant part of the population. Governments and businesses hold a lot of confidential data as well as personal data about everyone, from where you live to the day that you were born, and this information could be stolen if an attack was successful. This information can be used for a whole host of malicious activities.?

An attack would have a big impact on the civil services and businesses, governments/ businesses run the country and for them to be attacked would cause them to not only lose revenue but would have knock-on effects on other services in turn. Businesses and people who rely on them might struggle to get the help/ funding they require.

How to protect yourself

As the campaign mainly leverages phishing emails, businesses can implement online safety awareness training. Making sure staff know how to spot phishing emails and how to deal with them is of the utmost importance. Individuals should also educate themselves on the threats that they may face when in the online world and there are lots of resources online where this can be done.

It is crucial to make sure your organisation is prepared for any potential threats. Starting with the basics, such as network and security architecture, the attack surface landscape, and any entry points, think about which, if any, parts of a system an adversary may use to obtain access.?

To reduce risks early on, organisations should also look for malicious IPs and other IOCs linked to the campaign, as shown in the appendix. Although?researchers continue to track the newest PureCrypter campaign's actions, it is advised that government organisations take the required security precautions to protect their vital infrastructure.

In order to avoid the lateral spreading of any malware, should it be introduced, separate components of the network should be appropriately isolated. Firewall settings and which alerts are configured to trigger an alarm should be assessed. A current anti-virus programme should be installed.

Depending on whether access to systems is necessary, how that access is granted, and the amount of power granted, any customer and supplier may serve as an access or escalation point. Throughout, a limited trust policy should be in place, with access being allowed only as needed and being instantly removed if it is no longer needed.

Secure login portals requiring Multi-Factor Authentication should be present everywhere data is stored or activities involving accounts are performed, such as in customer relationship databases and booking software. Check for vulnerabilities in any code, templates, and plugins on the organization's website if one exists. When accepting card payments, a PCI compliant merchant service should be used. Human aspects shouldn't be disregarded; a straightforward DBS check for employees may reveal suspect intentions or histories.

Conclusion

With the threat of the PureCrypter being used by malicious actors too distribute malware too different entities, it leads for the need of a contingency plan. A contingency plan together with a clear chain of escalation for prompt corrective action to minimise downtime, might guarantee that an organisation remains operational, even if on a limited basis, in the event of an attack.

Due to a lack of IT staff, knowledge, and resources, conducting a thorough audit may be challenging for many small-to-medium businesses. Services provided by Cyber Security Associates range from complete consulting to website analysis.

References:

[1]?PureCrypter targets government entities through Discord - Blog | Menlo Security

[2]?Technical Analysis of PureCrypter | Zscaler Blog

[3]?https://www.malwarebytes.com/blog/news/2015/12/malware-crypters-the-deceptive-first-layer

[4]?PureCrypter Loader Found Infecting Government Entities with Various Malware | Cyware Alerts - Hacker News

[5]?Researchers Detail PureCrypter Loader Cyber Criminals Using to Distribute Malware (thehackernews.com)

Appendix- IOCs from Menlo’s investigation

FTP:

“ftp://ftp[.]mgcpakistan[.]com/”

Username: ddd@mgcpakistan[.]com

HTTP:

‘cents-ability[.]org’

Email:

be18d4fc15b51daedc3165112dad779e17389793fe0515d62bbcf00def2c3c2d

5732b89d931b84467ac9f149b2d60f3aee679a5f6472d6b4701202ab2cd80e99

Malware:

a7c006a79a6ded6b1cb39a71183123dcaaaa21ea2684a8f199f27e16fcb30e8e

5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d

f950d207d33507345beeb3605c4e0adfa6b274e67f59db10bd08b91c96e8f5ad

397b94a80b17e7fbf78585532874aba349f194f84f723bd4adc79542d90efed3

7a5b8b448e7d4fa5edc94dcb66b1493adad87b62291be4ddcbd61fb4f25346a8

efc0b3bfcec19ef704697bf0c4fd4f1cfb091dbfee9c7bf456fac02bcffcfedf

C846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331

Imphash shared by 106 FTP files:

F34d5f2d4577ed6d9ceec516c1f5a744 (86 files)

61259b55b8912888e90f516ca08dc514 (10 files)

Reg key 82 of the 106 FTP files opened:

HKLM\Software\Microsoft\Fusion\LoggingLevel

Of the 106 samples, over half shared the following MITRE Techniques:

Execution TA0002

- Windows Management Instrumentation T1047

Privilege Escalation TA0004

- Process Injection T1055

Defense Evasion TA0005

- Disable or Modify Tools T1562.001

- Virtualization/Sandbox Evasion T1497

- Process Injection T1055

- Obfuscated Files or Information T1027

- Software Packing T1027.002

- Masquerading T1036

Credential Access TA0006

- OS Credential Dumping T1003

Discovery TA0007

- System Information Discovery T1082

- Security Software Discovery T1518.001

- Virtualization/Sandbox Evasion T1497

- Application Window Discovery T1010

- Process Discovery T1057

Collection TA0009

- Data from Local System T1005

Command and Control TA0011

- Non-Application Layer Protocol T1095

- Application Layer Protocol T1071

Other similar files:

Md5 hash:

14e4bfe2b41a8cf4b3ab724400629214

f1c29ba01377c35e6f920f0aa626eaf5

5420dcbae4f1fba8afe85cb03dcd9bfc

18e9cd6b282d626e47c2074783a2fa78

2499343e00b0855882284e37bf0fa327

0d8b1ad53fddacf2221409c1c1f3fd70

2499343e00b0855882284e37bf0fa327

0d8b1ad53fddacf2221409c1c1f3fd70

17f512e1a9f5e35ce5761dba6ccb09cb

b5c60625612fe650be3dcbe558db1bbc

a478540cda34b75688c4c6da4babf973

765f09987f0ea9a3797c82a1c3fced46

bbd003bc5c9d50211645b028833bbeb2

71b4db69df677a2acd60896e11237146

f4eebe921b734d563e539752be05931d

b4fd2d06ac3ea18077848c9e96a25142

1d3c8ca9c0d2d70c656f41f0ac0fe818

785bfaa6322450f1c7fe7f0bf260772d

2fa290d07b56bde282073b955eae573e

d70bb6e2f03e5f456103b9d6e2dc2ee7

0ede257a56a6b1fbd2b1405568b44015

fdd4cd11d278dab26c2c8551e006c4ed

dbcaa05d5ca47ff8c893f47ad9131b29

c9ca95c2a07339edb13784c72f876a60

c3b90a10922eef6d635c6c786f29a5d0

8ef7d7ec24fb7f6b994006e9f339d9af

f1c29ba01377c35e6f920f0aa626eaf5

fa4ffa1f263f5fc67309569975611640

754920678bc60dabeb7c96bfb88273de

2964ce62d3c776ba7cb68a48d6afb06e

8503b56d9585b8c9e6333bb22c610b54

eaaf20fdc4a07418b0c8e85a2e3c9b27

b6c849fcdcda6c6d8367f159047d26c4

de94d596cac180d348a4acdeeaaa9439

3f92847d032f4986026992893acf271e

ae158d61bed131bcfd7d6cecdccde79b