PureCrypter delivers multiple types of malware and info-stealers, including Redline Stealer, Eternity, AgentTesla, Philadelphia Ransomware, and Blackmoon.
The cybersecurity researchers at Menlo Labs discovered an unknown threat actor exploiting an evasive malware campaign operated through Discord. In their campaign, the prime victims are government entities in North America and Asia-Pacific.
According to researchers, the attackers in this campaign are delivering the PureCrypter downloader, and their primary targets are government entities. The threat actor uses a compromised non-profit organization’s domain as their C2 center to deliver a second payload.
Researchers noticed that in this campaign, PureCrypter delivers multiple types of malware and info-stealers, including Redline Stealer, AgentTesla, Philadelphia Ransomware, and Blackmoon.
How Was the Campaign Discovered?
Researchers wrote that they became suspicious after detecting that Menlo’s Cloud Security Platform had blocked archive files, which were password-protected, across numerous government customers across the North American and Asia-Pacific regions.
The attacks start with a phishing email that contains a malicious link to Discord. This URL launches a password-protected ZIP file containing the .NET malware downloader PureCrypter, which downloads a secondary payload from the attackers’ C2 infrastructure.
The sample Menlo Labs analyzed downloaded AgentTesla, a widely used RAT and info stealer that can steal browser-based passwords, take screenshots, and log keystrokes after establishing a connection with an FTP server located in Pakistan.
On the other hand, victim data is stored on this server, which was observed in another campaign using OneNote to deliver malware.
“The FTP server appears to have been taken over and the leaked credentials for the domain were found online, thus suggesting that the threat actors used these credentials to gain access to the server.”
Menlo Labs
What is PureCrypter?
PureCrypter is a malware downloader capable of distributing a wide range of ransomware, malware, and information stealers. It was first detected in June 2022. Its creator, PureCoder, offers it for $59 per month or a one-time payment of $245 for life.
The developer recently expanded its features to include PureLogs logger and info stealer, which can steal data from crypto wallets, web browsers, and email clients, for just $99 a year or lifetime access for $99.
