PureCryptor Malware Targets Government Entities: InfoStealer and Ransomware

A recent PureCryptor malware campaign has been discovered to be targeting government entities in the Asia-Pacific (APAC) and North America regions, delivering multiple information stealers and ransomware strains.

Menlo Security researchers found that the campaign used Discord to host the initial payload and compromised a non-profit organization to store additional hosts used in the attack.

Attack Chain of PureCryptor Malware

The attack starts with an email containing a Discord app URL that points to a PureCryptor malware sample in a password-protected ZIP archive. PureCryptor is a .NET-based malware downloader that was first seen in March 2021. Its operator rents it to other cybercriminals to distribute various types of malware.

When executed, it delivers the next-stage payload from a command and control server, which is a compromised server of a non-profit organization in this case.

Menlo Security researchers analyzed the sample and found that it delivered AgentTesla, a .NET malware family that has been in use by cybercriminals for the last eight years. When launched, AgentTesla establishes a connection to a Pakistan-based FTP server that is used to receive the stolen data.

The researchers discovered that the threat actors used leaked credentials to take control of the particular FTP server to reduce identification risks and minimize their trace.

AgentTesla: The .NET Malware Family Still in Use

Despite its age, AgentTesla remains a cost-effective and highly-capable backdoor that has received continual development and improvement over the years.

Cofense Intelligence recorded that AgentTesla’s keylogging activity accounted for roughly one-third of all keylogger reports in 2022.

AgentTesla’s capabilities include logging the victim’s keystrokes to capture sensitive information, stealing passwords saved in web browsers, email clients, or FTP clients, capturing screenshots of the desktop, intercepting data that is copied to the clipboard, and exfiltrating stolen data to the C2 via FTP or SMTP.

AgentTesla’s Capabilities and Stealth Tactics

In the attacks examined by Menlo Labs, it was discovered that the threat actors used process hollowing to inject the AgentTesla payload into a legitimate process (“cvtres.exe”) to evade detection from antivirus tools.

Furthermore, AgentTesla uses XOR encryption to protect its communications with the C2 server, like its configuration files, from network traffic monitoring tools.

Monitoring PureCryptor Malware Campaign

Menlo Security believes that the threat actor behind the PureCrypter campaign is not a major one but it is worth monitoring its activity due to targeting government entities. It is likely that the attacker will continue using compromised infrastructure for as long as possible before being forced to find new ones.

The PureCryptor malware campaign has targeted government entities with a variety of information stealers and ransomware strains. It uses Discord to host the initial payload and compromised infrastructure of a non-profit organization to store additional hosts.

The AgentTesla malware family is still in use by cybercriminals due to its cost-effectiveness and highly-capable backdoor capabilities.

Menlo Security researchers recommend monitoring the PureCryptor campaign and being vigilant against future attacks.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter. You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.