Chris Swagler | March 7th, 2023

A threat actor has been discovered delivering numerous information stealers and ransomware strains to government agencies using the PureCrypter malware downloader. Researchers identified the threat actor hosted the initial payload on Discord and breached a non-profit organization to store additional hosts used in the operation. Numerous types of malware, including Redline Stealer, AgentTesla, Eternity, Blackmoon, and Philadelphia Ransomware, were discovered being delivered during the campaign. According to researchers, the detected PureCrypter campaign targeted numerous government organizations in the Asia-Pacific and North American regions. PureCrypter used the compromised non-profit organization’s domain as a command-and-control (C2) to deliver a secondary payload. First documented in June 2022, PureCrypter’s author offered monthly access and distributes multiple malware. The developer, PureCoder, expanded the offerings to a logger and information stealer called PureLogs which steals data from web browsers, crypto wallets, and email clients.

The campaign starts with phishing emails containing a Discord app link that leads to a PureCrypter sample in a password-protected ZIP archive. PureCrypter, a . NET-based malware downloader, was first discovered in the wild in March 2021. The operator rents it out to other cybercriminals to spread various malware types. When it’s executed, the PureCrypter sends the next-stage payload from a command-and-control server, which can be a compromised server of a non-profit organization. The sample researchers examined was AgentTesla, a.NET-based keylogger, and established a connection to an FTP server in Pakistan when launched to receive the stolen data. Researchers discovered that threat actors exploited leaked credentials to take control of a specific FTP server instead of setting up their own, to minimize the risk of discovery and reduce their trace. Additionally, the FTP server was observed delivering malware using OneNote. Threat operators sent phishing emails containing links to malicious OneNote files, which can download additional malware or steal data from victims’ devices.

For the past eight years, cybercriminals have been using the AgentTesla malware family and peaked in usage in late 2020 and early 2021. According to a recent report, despite its age, AgentTesla remains a cost-effective and highly powerful backdoor that continues to develop and improve over the years. In 2022, AgentTesla’s keylogging activity accounted for nearly one-third of all keyloggers reports recorded. The malware has the following capabilities:

The attacks revealed that the threat actors exploited process hollowing injecting the AgentTesla payload into a legitimate process (“cvtres.exe”) to avoid detection by antivirus solutions. Additionally, AgentTesla protects its communications with the C2 server, including configuration files, from network traffic monitoring tools by using XOR encryption. The threat actor behind the PureCrypter campaign is not a large one, but its activities need to be monitored due to targeting government agencies.

Threat actors are likely to continue to use compromised infrastructures for as long as feasible before being forced to acquire a new one. This is why it’s important for high-profile companies and government agencies to remain ahead of the latest threat landscape and regularly update data network security posture. At SpearTip, our engineers discover blind spots in organizations that can lead to significant compromises. We go beyond simple compliance frameworks and examine daily functions cyber within organizations which can lead to critical recommendations by exposing vulnerabilities not only in software but in people and processes. Our engineers continuously monitor organizations’ data networks for potential ransomware threats at our 24/7/365 Security Operations Center. Our ShadowSpear Threat Hunting is a critical pre-breach step in evaluating the effectiveness of critical security measures, including email systems, to determine the overall health of environments and prevent breaches.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.