• Home
    • What is
    • Computer security
      • Windows security
      • Mac security
      • Linux security
    • Mobile security
      • Android security
      • iOS Security
    • Data security
    • SCCM
    • Reviews
      • Case studies
    • Advertise
    • Contact
      • Privacy Policy
  • Subscribe now

    Loading
  • Home
  • What is
  • Computer security
    • Windows security
    • Mac security
    • Linux security
  • Mobile security
    • Android security
    • iOS Security
  • Data security
  • SCCM
  • Reviews
    • Case studies
  • Advertise
  • Contact
    • Privacy Policy
Home » Breaking Computer security Cyber Security data security Device security Intruders Latest Cybersecurity News Linux security Mac security Windows security

PureCryptor Malware Targets Government Entities: InfoStealer and Ransomware

John Greenwood Posted On February 27, 2023
0



PureCryptor Malware

A recent PureCryptor malware campaign has been discovered to be targeting government entities in the Asia-Pacific (APAC) and North America regions, delivering multiple information stealers and ransomware strains.

Menlo Security researchers found that the campaign used Discord to host the initial payload and compromised a non-profit organization to store additional hosts used in the attack.

Attack Chain of PureCryptor Malware

The attack starts with an email containing a Discord app URL that points to a PureCryptor malware sample in a password-protected ZIP archive. PureCryptor is a .NET-based malware downloader that was first seen in March 2021. Its operator rents it to other cybercriminals to distribute various types of malware.

PureCryptor Malware
Attack Chain of PureCryptor Malware (source: Menlo Security)

When executed, it delivers the next-stage payload from a command and control server, which is a compromised server of a non-profit organization in this case.

Menlo Security researchers analyzed the sample and found that it delivered AgentTesla, a .NET malware family that has been in use by cybercriminals for the last eight years. When launched, AgentTesla establishes a connection to a Pakistan-based FTP server that is used to receive the stolen data.

The researchers discovered that the threat actors used leaked credentials to take control of the particular FTP server to reduce identification risks and minimize their trace.

AgentTesla: The .NET Malware Family Still in Use

Despite its age, AgentTesla remains a cost-effective and highly-capable backdoor that has received continual development and improvement over the years.

Cofense Intelligence recorded that AgentTesla’s keylogging activity accounted for roughly one-third of all keylogger reports in 2022.

AgentTesla’s capabilities include logging the victim’s keystrokes to capture sensitive information, stealing passwords saved in web browsers, email clients, or FTP clients, capturing screenshots of the desktop, intercepting data that is copied to the clipboard, and exfiltrating stolen data to the C2 via FTP or SMTP.

AgentTesla’s Capabilities and Stealth Tactics

In the attacks examined by Menlo Labs, it was discovered that the threat actors used process hollowing to inject the AgentTesla payload into a legitimate process (“cvtres.exe”) to evade detection from antivirus tools.

Furthermore, AgentTesla uses XOR encryption to protect its communications with the C2 server, like its configuration files, from network traffic monitoring tools.

Monitoring PureCryptor Malware Campaign

Menlo Security believes that the threat actor behind the PureCrypter campaign is not a major one but it is worth monitoring its activity due to targeting government entities. It is likely that the attacker will continue using compromised infrastructure for as long as possible before being forced to find new ones.

The PureCryptor malware campaign has targeted government entities with a variety of information stealers and ransomware strains. It uses Discord to host the initial payload and compromised infrastructure of a non-profit organization to store additional hosts.

The AgentTesla malware family is still in use by cybercriminals due to its cost-effectiveness and highly-capable backdoor capabilities.

Menlo Security researchers recommend monitoring the PureCryptor campaign and being vigilant against future attacks.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, and Twitter. You can reach out to us via Twitter/ Facebook or mail us at admin@thecybersecuritytimes.com for advertising requests.

Share the article with your friends


cyberCybersecuritydata securityhacking


Author

John Greenwood

He has been working with Cybersec and Infosec market for 12+ years now. Passionate about AI, Cybersecurity, Info security, Blockchain and Machine Learning. When he is not occupied with cybersecurity, he likes to go on bike rides!

You may also like
Recast Software: Advanced Endpoint Management and Security Tools for IT Teams
November 16, 2024
Patch My PC: Streamlined Software Management for ConfigMgr and Intune
November 9, 2024
Best Microsoft Intune Alternatives: Top 5 MDMs to Consider
November 4, 2024
Leave A Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Subscribe to our newsletter

    Loading
  • Windows security

    • Recast Software: Advanced Endpoint Management and Security...
      November 16, 2024
    • Patch My PC: Streamlined Software Management for ConfigMgr...
      November 9, 2024
    • Best Microsoft Intune Alternatives: Top 5 MDMs to Consider
      November 4, 2024
    • Top 11 Log Management Tools for Efficient System Management
      September 20, 2024
    • Top 5 Threat Intelligence Tools For 2024
      September 19, 2024


  • About us

    Our vision is to deliver the trending and happening cyber events to the enthusiasts.

    We believe in delivering educational and quality content for hassle-free understanding of the subject.

  • Subscribe to our newsletter

    Loading
  • Follow us

  • Advertise with us

    You can reach us via Facebook, Linkedin, or Twitter for advertising purposes.


© The Cybersecurity Times 2022. All rights reserved.
Press enter/return to begin your search