researchers-detail-purecrypter-loader-cyber-criminals-using-to-distribute-malware

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Researchers Detail PureCrypter Loader Cyber Criminals Using to Distribute Malware

Cybersecurity researchers have detailed the workings of a fully-featured malware loader dubbed PureCrypter that’s being purchased by cyber criminals to deliver remote access trojans (RATs) and information stealers.

“The loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption, and obfuscation to evade antivirus software products,” Zscaler’s Romain Dumont said in a new report.

Some of the malware families distributed using PureCrypter include Agent Tesla, Arkei, AsyncRAT, AZORult, DarkCrystal RAT (DCRat), LokiBot, NanoCore, RedLine Stealer, Remcos, Snake Keylogger, and Warzone RAT.

Sold for a price of $59 by its developer named “PureCoder” for a one-month plan (and $249 for a one-off lifetime purchase) since at least March 2021, PureCrypter is advertised as the “only crypter in the market that uses offline and online delivery technique.”

Crypters act as the first layer of defense against reverse engineering and are typically used to pack the malicious payload. PureCrypter also features what it says is an advanced mechanism to inject the embedded malware into native processes and a variety of configurable options to achieve persistence on startup and turn on additional options to fly under the radar.

Also offered is a Microsoft Office macro builder and a downloader, highlighting the potential initial infection routes that can be employed to propagate the malware.

Interestingly, while PureCoder makes it a point to note that the “software was created for educational purposes only,” its terms of service (ToS) forbids buyers from uploading the tool to malware scanning databases such as VirusTotal, Jotti, and MetaDefender.

“You are not allowed to scan the crypted file, as the crypter itself has a built-in scanner,” the ToS further states.

In one sample analyzed by Zscaler, a disk image file (.IMG) was found to contain a first-stage downloader that, in turn, retrieves and runs a second-stage module from a remote server, which subsequently injects the final malware payload inside other processes like MSBuild.

PureCryter also offers a number of notable features that allows it to remove itself from the compromised machine and report the infection status to the author via Discord and Telegram.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Vulnerability Summary for the Week of November 21, 2022

airbnb — optica A remote code execution (RCE) vulnerability in Optica allows unauthenticated attackers to execute arbitrary code via specially…
TikTok Invisible Body Challenge Trend Abused to Drop Malware

TikTok Invisible Body Challenge Trend Abused to Drop Malware

The newest trend on TikTok, the Invisible Body Challenge, is being abused by cybercriminals to spread WASP info-stealing malware. This…
Acer Laptop Vulnerability Allows Malware Infection During Secure Boot

Acer Laptop Vulnerability Allows Malware Infection During Secure Boot

Cybersecurity firm ESET’s researchers have identified a vulnerability affecting Acer laptops. The bug isn’t new, as ESET already discovered it…